0003964
Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC
European Parliament
Regulations
Free
European SOX
Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC
Not Defined
0003964
Free
European Parliament
Regulations
European SOX
Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC
Not Defined
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Establish/Maintain Documentation | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)] | Communicate | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)] | Establish Roles | Preventive | |
| Manage supply chain audits. CC ID 01203 | Audits and Risk Management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and Risk Management | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.] | Audits and Risk Management | Preventive | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1. Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2. Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.] | Business Processes | Preventive | |
| Define the qualification requirements for auditors. CC ID 17259 [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a) Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3. The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d) {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1 Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1 A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a) A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b) The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1 In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1. Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2. Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.] | Human Resources Management | Preventive | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Communicate | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Establish Roles | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Human Resources Management | Corrective | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Establish Roles | Preventive | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Establish Roles | Preventive | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.] | Testing | Detective | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Establish Roles | Preventive | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Establish Roles | Preventive | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Establish Roles | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.] | Establish Roles | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and Risk Management | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Establish/Maintain Documentation | Preventive | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Establish/Maintain Documentation | Preventive | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Establish/Maintain Documentation | Preventive | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Establish/Maintain Documentation | Preventive | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and Risk Management | Preventive | |
| Review the external audit assertion for accuracy. CC ID 06977 | Testing | Detective | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 | Testing | Detective | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and Risk Management | Detective | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Establish/Maintain Documentation | Preventive | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Establish/Maintain Documentation | Preventive | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and Risk Management | Preventive | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1. The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Audits and Risk Management | Preventive | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Establish/Maintain Documentation | Preventive | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Establish/Maintain Documentation | Preventive | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Behavior | Preventive | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Behavior | Preventive | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Establish/Maintain Documentation | Preventive | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1. {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.] | Establish Roles | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and Risk Management | Preventive | |
| Mitigate the threats to an auditor's independence. CC ID 17282 [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1 In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Process or Activity | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)] | Audits and Risk Management | Detective | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Behavior | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Establish/Maintain Documentation | Preventive | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and Risk Management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 | Establish/Maintain Documentation | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Establish/Maintain Documentation | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and Risk Management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Establish/Maintain Documentation | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Establish/Maintain Documentation | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Establish/Maintain Documentation | Preventive | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Establish/Maintain Documentation | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Establish/Maintain Documentation | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Establish/Maintain Documentation | Preventive | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and Risk Management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Establish/Maintain Documentation | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and Risk Management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Establish/Maintain Documentation | Preventive | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Establish/Maintain Documentation | Preventive | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Establish/Maintain Documentation | Preventive | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Establish/Maintain Documentation | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Establish/Maintain Documentation | Preventive | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Establish/Maintain Documentation | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Establish/Maintain Documentation | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Communicate | Preventive | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Establish/Maintain Documentation | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Establish/Maintain Documentation | Preventive | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
| Include materiality levels in the audit terms. CC ID 01238 | Establish/Maintain Documentation | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Establish/Maintain Documentation | Preventive | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Establish/Maintain Documentation | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1] | Audits and Risk Management | Detective | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1. Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Audits and Risk Management | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Actionable Reports or Measurements | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)] | Establish/Maintain Documentation | Preventive | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and Risk Management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Audit information systems, as necessary. CC ID 13010 | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
| Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the implementation status of in scope controls. CC ID 06981 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Testing | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and Risk Management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Testing | Preventive | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b) The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)] | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and Risk Management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Monitor and Evaluate Occurrences | Preventive | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Business Processes | Preventive | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.] | Audits and Risk Management | Preventive | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Business Processes | Preventive | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and Risk Management | Corrective | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and Risk Management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 | Establish/Maintain Documentation | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
| Include the purpose in the audit report. CC ID 17263 | Establish/Maintain Documentation | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
| Include written agreements in the audit report. CC ID 17266 | Establish/Maintain Documentation | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 | Actionable Reports or Measurements | Preventive | |
| Include the date of the audit in the audit report. CC ID 07024 | Actionable Reports or Measurements | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)] | Actionable Reports or Measurements | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Actionable Reports or Measurements | Preventive | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Establish/Maintain Documentation | Preventive | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Establish/Maintain Documentation | Preventive | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Establish/Maintain Documentation | Preventive | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Establish/Maintain Documentation | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Establish/Maintain Documentation | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Establish/Maintain Documentation | Preventive | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and Risk Management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Actionable Reports or Measurements | Preventive | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Establish/Maintain Documentation | Preventive | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Establish/Maintain Documentation | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Establish/Maintain Documentation | Preventive | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Establish/Maintain Documentation | Preventive | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Establish/Maintain Documentation | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and Risk Management | Preventive | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Establish/Maintain Documentation | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and Risk Management | Detective | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
| Review past audit reports. CC ID 01155 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)] | Establish/Maintain Documentation | Detective | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Behavior | Preventive | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Establish/Maintain Documentation | Preventive | |
| Include an audit opinion in the audit report. CC ID 07017 | Establish/Maintain Documentation | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Establish/Maintain Documentation | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Establish/Maintain Documentation | Preventive | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Establish/Maintain Documentation | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Establish/Maintain Documentation | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Establish/Maintain Documentation | Preventive | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Establish/Maintain Documentation | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Establish/Maintain Documentation | Preventive | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Establish/Maintain Documentation | Preventive | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Establish/Maintain Documentation | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Actionable Reports or Measurements | Preventive | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.] | Establish/Maintain Documentation | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Log Management | Detective | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Establish/Maintain Documentation | Preventive | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 | Establish/Maintain Documentation | Detective | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Business Processes | Preventive | |
| Submit an audit report that is complete. CC ID 01145 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Testing | Detective | |
| Accept the audit report. CC ID 07025 | Establish/Maintain Documentation | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 | Establish/Maintain Documentation | Corrective | |
| Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and Risk Management | Detective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.] | Establish/Maintain Documentation | Preventive | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Testing | Detective | |
| Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and Risk Management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Testing | Detective | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Testing | Detective | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.] | Establish/Maintain Documentation | Preventive | |
| Include goals and targets in the disclosure report. CC ID 16339 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Establish/Maintain Documentation | Preventive | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Establish/Maintain Documentation | Preventive | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Establish/Maintain Documentation | Preventive | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Establish/Maintain Documentation | Preventive | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)] | Establish/Maintain Documentation | Preventive | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Establish/Maintain Documentation | Preventive | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Establish/Maintain Documentation | Preventive | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Establish/Maintain Documentation | Preventive | |
| Include the governance structure in the disclosure report. CC ID 15840 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)] | Establish/Maintain Documentation | Preventive | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Establish/Maintain Documentation | Preventive | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Establish/Maintain Documentation | Preventive | |
| Include the ownership structure in the disclosure report. CC ID 15822 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)] | Establish/Maintain Documentation | Preventive | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.] | Communicate | Preventive | |
Harmonization Methods and Manual of Style | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Harmonization Methods and Manual of Style CC ID 06095 | IT Impact Zone | IT Impact Zone | |
| Structure the language of compliance documents. CC ID 06098 | Establish/Maintain Documentation | Preventive | |
| Standardize word usage. CC ID 06104 | Establish/Maintain Documentation | Preventive | |
| Write policies and instructions using clear and conspicuous language. CC ID 16286 [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources Management | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1 Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources Management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources Management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d) The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.] | Testing | Detective | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
| Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Communicate | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective | |
| Train all personnel and third parties, as necessary. CC ID 00785 [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.] | Behavior | Preventive | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Training | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Business Processes | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.] | Human Resources Management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1] | Behavior | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Behavior | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Behavior | Preventive | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Behavior | Preventive | |
| Document all training in a training record. CC ID 01423 | Establish/Maintain Documentation | Detective | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Behavior | Preventive | |
| Conduct tests and evaluate training. CC ID 06672 [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.] | Testing | Detective | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Establish/Maintain Documentation | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Training | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
| Develop or acquire content to update the training plans. CC ID 12867 | Training | Preventive | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Training | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
| Include ethical culture in the security awareness program. CC ID 12801 | Human Resources Management | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Training | Preventive | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Training | Preventive | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources Management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Training | Preventive | |
| Include risk management in the security awareness program. CC ID 13040 | Training | Preventive | |
| Conduct Archives and Records Management training. CC ID 00975 | Behavior | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
| Include cloud security in the security awareness program. CC ID 13039 | Training | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Establish/Maintain Documentation | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Training | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Establish/Maintain Documentation | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Training | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Training | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Establish/Maintain Documentation | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Training | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Training | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Establish/Maintain Documentation | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Establish/Maintain Documentation | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources Management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Behavior | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Establish/Maintain Documentation | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 | Behavior | Corrective | |
| Conduct tampering prevention training. CC ID 11875 | Training | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Training | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Training | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Training | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Training | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Training | Preventive | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Training | Preventive | |
| Conduct crime prevention training. CC ID 06350 | Behavior | Preventive | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Monitor and Evaluate Occurrences | Detective | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e) The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.] | Establish/Maintain Documentation | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Establish/Maintain Documentation | Preventive | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Monitor and Evaluate Occurrences | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)] | Communicate | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1. The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Human Resources Management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Communicate | Preventive | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Behavior | Preventive | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Investigate | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Behavior | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Monitor and Evaluate Occurrences | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Business Processes | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Communicate | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Behavior | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Behavior | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Business Processes | Corrective | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Behavior | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources Management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources Management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources Management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Establish Roles | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Behavior | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Behavior | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Establish/Maintain Documentation | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.] | Communicate | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Process or Activity | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Establish/Maintain Documentation | Preventive | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)] | Establish/Maintain Documentation | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
| Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Communicate | Preventive | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Communicate | Preventive | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Establish/Maintain Documentation | Preventive | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Establish/Maintain Documentation | Preventive | |
| Enforce a continuous Quality Control system. CC ID 01005 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h) The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Business Processes | Detective | |
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Testing | Detective | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a) {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Establish/Maintain Documentation | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Business Processes | Corrective | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Monitor and Evaluate Occurrences | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Systems Design, Build, and Implementation | Preventive | |
| Include resource management in the quality management system. CC ID 15026 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)] | Establish/Maintain Documentation | Preventive | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Business Processes | Detective | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Establish/Maintain Documentation | Preventive | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Business Processes | Detective | |
| Include system testing standards in the Quality Management program. CC ID 01018 | Establish/Maintain Documentation | Preventive | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)] | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b) The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Establish/Maintain Documentation | Preventive | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Communicate | Preventive | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Business Processes | Preventive | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Business Processes | Preventive | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Business Processes | Preventive | |
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Investigate | Detective | |
| Attach the required information to each funds transfer. CC ID 16756 | Business Processes | Preventive | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Business Processes | Detective | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Business Processes | Preventive | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Testing | Preventive | |
| Include communication protocols in the financial management program. CC ID 16763 | Establish/Maintain Documentation | Preventive | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Process or Activity | Preventive | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Process or Activity | Preventive | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Business Processes | Preventive | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Business Processes | Preventive | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Establish/Maintain Documentation | Preventive | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Process or Activity | Preventive | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Establish/Maintain Documentation | Preventive | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Establish/Maintain Documentation | Preventive | |
| Supplement financial resources, as necessary. CC ID 16685 | Business Processes | Preventive | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Establish/Maintain Documentation | Preventive | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Establish/Maintain Documentation | Preventive | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Establish/Maintain Documentation | Preventive | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Testing | Preventive | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Business Processes | Preventive | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Business Processes | Preventive | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Testing | Preventive | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Testing | Preventive | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Process or Activity | Detective | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Testing | Preventive | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Communicate | Preventive | |
| Identify and document the financial resources available for use. CC ID 16643 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Business Processes | Preventive | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Establish/Maintain Documentation | Preventive | |
| Include required information in the capital restoration plan. CC ID 16609 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Establish/Maintain Documentation | Preventive | |
| Include investment information in approval requests for investments. CC ID 16590 | Business Processes | Preventive | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Establish/Maintain Documentation | Preventive | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Process or Activity | Preventive | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Establish/Maintain Documentation | Preventive | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Establish/Maintain Documentation | Preventive | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Establish/Maintain Documentation | Preventive | |
| Include pricing structures in the lending policy. CC ID 16724 | Establish/Maintain Documentation | Preventive | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Establish/Maintain Documentation | Preventive | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Establish/Maintain Documentation | Preventive | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Establish/Maintain Documentation | Preventive | |
| Include loan requirements in the lending policy. CC ID 16706 | Establish/Maintain Documentation | Preventive | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Establish/Maintain Documentation | Preventive | |
| Include terms and conditions in the lending policy. CC ID 16695 | Establish/Maintain Documentation | Preventive | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Establish/Maintain Documentation | Preventive | |
| Include geographic areas in the lending policy. CC ID 16691 | Establish/Maintain Documentation | Preventive | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Establish/Maintain Documentation | Preventive | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Establish/Maintain Documentation | Preventive | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Establish/Maintain Documentation | Preventive | |
| Include documentation requirements in the lending policy. CC ID 16617 | Establish/Maintain Documentation | Preventive | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Establish/Maintain Documentation | Preventive | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Establish/Maintain Documentation | Preventive | |
| Include approval requirements in the lending policy. CC ID 16615 | Establish/Maintain Documentation | Preventive | |
| Include reporting requirements in the lending policy. CC ID 16614 | Establish/Maintain Documentation | Preventive | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Establish/Maintain Documentation | Preventive | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Establish/Maintain Documentation | Preventive | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Establish/Maintain Documentation | Preventive | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Establish/Maintain Documentation | Preventive | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Establish/Maintain Documentation | Preventive | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Establish/Maintain Documentation | Preventive | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Establish/Maintain Documentation | Preventive | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Establish/Maintain Documentation | Preventive | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Establish/Maintain Documentation | Preventive | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Process or Activity | Preventive | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Establish/Maintain Documentation | Preventive | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Establish/Maintain Documentation | Preventive | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Establish/Maintain Documentation | Preventive | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Establish/Maintain Documentation | Preventive | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Establish/Maintain Documentation | Preventive | |
| Include collections in the loan administration procedures. CC ID 16701 | Establish/Maintain Documentation | Preventive | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Establish/Maintain Documentation | Preventive | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Establish/Maintain Documentation | Preventive | |
| Review and approve lending policies. CC ID 16607 | Business Processes | Preventive | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Business Processes | Preventive | |
| Include valuation models in the margin system. CC ID 16663 | Data and Information Management | Preventive | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Data and Information Management | Preventive | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Data and Information Management | Preventive | |
| Validate the margin system on a regular basis. CC ID 16660 | Testing | Detective | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Process or Activity | Detective | |
| Monitor the performance of the margin system. CC ID 16655 | Monitor and Evaluate Occurrences | Detective | |
| Analyze the performance of the margin system. CC ID 16654 | Process or Activity | Detective | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Business Processes | Preventive | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Establish/Maintain Documentation | Preventive | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Investigate | Detective | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Communicate | Preventive | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Establish/Maintain Documentation | Preventive | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Establish/Maintain Documentation | Preventive | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Establish/Maintain Documentation | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Establish/Maintain Documentation | Preventive | |
| Include the call date in the securities transaction notification. CC ID 16680 | Establish/Maintain Documentation | Preventive | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Establish/Maintain Documentation | Preventive | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Establish/Maintain Documentation | Preventive | |
| Include the call price in the securities transaction notification. CC ID 16678 | Establish/Maintain Documentation | Preventive | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Establish/Maintain Documentation | Preventive | |
| Include transactions in the securities transaction notification. CC ID 16676 | Establish/Maintain Documentation | Preventive | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Establish/Maintain Documentation | Preventive | |
| Include yield information in the securities transaction notification. CC ID 16673 | Establish/Maintain Documentation | Preventive | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Establish/Maintain Documentation | Preventive | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Establish/Maintain Documentation | Preventive | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Establish/Maintain Documentation | Preventive | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Establish/Maintain Documentation | Preventive | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Establish/Maintain Documentation | Preventive | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Establish/Maintain Documentation | Preventive | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Establish/Maintain Documentation | Preventive | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Establish/Maintain Documentation | Preventive | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Establish/Maintain Documentation | Preventive | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Establish/Maintain Documentation | Preventive | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Establish/Maintain Documentation | Preventive | |
| Include requested information in the securities transaction notification. CC ID 16641 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Communicate | Preventive | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)] | Establish/Maintain Documentation | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
| Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1 If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2. {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Behavior | Corrective | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Human Resources Management | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.] | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a registration database. CC ID 15048 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2. Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1 Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Data and Information Management | Preventive | |
| Grant registration after competence and integrity is verified. CC ID 16802 [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1 {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2] | Behavior | Detective | |
| Implement access restrictions for information in the registration database. CC ID 17235 | Data and Information Management | Preventive | |
| Include registration numbers in the registration database. CC ID 17272 [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)] | Data and Information Management | Preventive | |
| Include electronic signatures in the registration database. CC ID 17281 [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1] | Data and Information Management | Preventive | |
| Include other registrations in the registration database. CC ID 17274 [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)] | Data and Information Management | Preventive | |
| Include the owners and shareholders in the registration database. CC ID 17273 [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)] | Data and Information Management | Preventive | |
| Include contact details in the registration database. CC ID 15109 [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3. As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d) As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g) As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)] | Establish/Maintain Documentation | Preventive | |
| Include personal data in the registration database, as necessary. CC ID 15108 | Establish/Maintain Documentation | Preventive | |
| Publish the registration information in the registration database in an official language. CC ID 17280 [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1. Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1] | Data and Information Management | Preventive | |
| Make the registration database available to the public. CC ID 15107 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Communicate | Preventive | |
| Maintain non-public information in a protected area in the registration database. CC ID 17237 | Data and Information Management | Preventive | |
| Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 | Business Processes | Preventive | |
| Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 | Data and Information Management | Preventive | |
| Update registration information upon changes. CC ID 17275 [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1] | Data and Information Management | Preventive | |
| Maintain the accuracy of registry information published in registration databases. CC ID 16402 | Data and Information Management | Preventive | |
| Maintain ease of use for information in the registration database. CC ID 17239 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Data and Information Management | Preventive | |
| Include all required information in the registration database. CC ID 15106 [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c) As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e) {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2. {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2. As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b) {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.] | Data and Information Management | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Notify the supervisory authority. CC ID 00472 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.] | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2] | Communicate | Corrective | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)] | Establish/Maintain Documentation | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 | Behavior | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 | Communicate | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Communicate | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2 The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)] | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)] | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1. Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1 The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)] | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.] | Behavior | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Leadership and high level objectives | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Preventive | |
| Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Preventive | |
| Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)] | Audits and risk management | Preventive | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Preventive | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Preventive | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Manage supply chain audits. CC ID 01203 | Audits and risk management | Preventive | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.] | Audits and risk management | Preventive | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Preventive | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Preventive | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Detective | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Preventive | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1. The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Audits and risk management | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)] | Audits and risk management | Detective | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and risk management | Preventive | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1] | Audits and risk management | Detective | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1. Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Preventive | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Detective | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.] | Audits and risk management | Preventive | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Corrective | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and risk management | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Preventive | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Detective | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
| Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and risk management | Detective | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and risk management | Preventive | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1 If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2. {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Monitoring and measurement | Corrective | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Preventive | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Preventive | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Preventive | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.] | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1] | Human Resources management | Preventive | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Preventive | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Preventive | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Preventive | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Preventive | |
| Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Preventive | |
| Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Corrective | |
| Conduct crime prevention training. CC ID 06350 | Human Resources management | Preventive | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Preventive | |
| Grant registration after competence and integrity is verified. CC ID 16802 [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1 {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2] | Operational management | Detective | |
| Notify the supervisory authority. CC ID 00472 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.] | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.] | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Enforce a continuous Quality Control system. CC ID 01005 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h) The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Leadership and high level objectives | Detective | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Corrective | |
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Detective | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Detective | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Preventive | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Preventive | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Preventive | |
| Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Preventive | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Preventive | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Preventive | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Preventive | |
| Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Preventive | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Preventive | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Preventive | |
| Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Preventive | |
| Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Preventive | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1. Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2. Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.] | Audits and risk management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Preventive | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Human Resources management | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Corrective | |
| Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 | Operational management | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.] | Leadership and high level objectives | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.] | Monitoring and measurement | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)] | Audits and risk management | Preventive | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Audits and risk management | Preventive | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Preventive | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.] | Audits and risk management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)] | Human Resources management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Preventive | |
| Make the registration database available to the public. CC ID 15107 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Operational management | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2] | Privacy protection for information and data | Corrective | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Preventive | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Preventive | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a registration database. CC ID 15048 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2. Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1 Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Operational management | Preventive | |
| Implement access restrictions for information in the registration database. CC ID 17235 | Operational management | Preventive | |
| Include registration numbers in the registration database. CC ID 17272 [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)] | Operational management | Preventive | |
| Include electronic signatures in the registration database. CC ID 17281 [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1] | Operational management | Preventive | |
| Include other registrations in the registration database. CC ID 17274 [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)] | Operational management | Preventive | |
| Include the owners and shareholders in the registration database. CC ID 17273 [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)] | Operational management | Preventive | |
| Publish the registration information in the registration database in an official language. CC ID 17280 [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1. Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1] | Operational management | Preventive | |
| Maintain non-public information in a protected area in the registration database. CC ID 17237 | Operational management | Preventive | |
| Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 | Operational management | Preventive | |
| Update registration information upon changes. CC ID 17275 [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1] | Operational management | Preventive | |
| Maintain the accuracy of registry information published in registration databases. CC ID 16402 | Operational management | Preventive | |
| Maintain ease of use for information in the registration database. CC ID 17239 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Operational management | Preventive | |
| Include all required information in the registration database. CC ID 15106 [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c) As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e) {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2. {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2. As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b) {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.] | Operational management | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)] | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)] | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1. Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1 The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)] | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)] | Audits and risk management | Preventive | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Audits and risk management | Preventive | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Preventive | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Preventive | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Preventive | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Preventive | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.] | Audits and risk management | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1. {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.] | Audits and risk management | Preventive | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Leadership and high level objectives | Preventive | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)] | Leadership and high level objectives | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
| Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Preventive | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Preventive | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a) {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Leadership and high level objectives | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
| Include resource management in the quality management system. CC ID 15026 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Leadership and high level objectives | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)] | Leadership and high level objectives | Preventive | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Preventive | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Preventive | |
| Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b) The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Preventive | |
| Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Preventive | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Leadership and high level objectives | Preventive | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Preventive | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Preventive | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Preventive | |
| Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Preventive | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Preventive | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Preventive | |
| Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Preventive | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Preventive | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Preventive | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Preventive | |
| Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Preventive | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Preventive | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Preventive | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Preventive | |
| Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Preventive | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Preventive | |
| Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Preventive | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Preventive | |
| Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Preventive | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Preventive | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Preventive | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Preventive | |
| Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Preventive | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Preventive | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Preventive | |
| Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Preventive | |
| Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Preventive | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Preventive | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Preventive | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Preventive | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Preventive | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Preventive | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Preventive | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Preventive | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Preventive | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Preventive | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Preventive | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Preventive | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Preventive | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Preventive | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Preventive | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Preventive | |
| Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Preventive | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Preventive | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Preventive | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Preventive | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Preventive | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Preventive | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Preventive | |
| Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Preventive | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Preventive | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Preventive | |
| Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Preventive | |
| Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Preventive | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Preventive | |
| Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Preventive | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Preventive | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Preventive | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Preventive | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Preventive | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Preventive | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Preventive | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Preventive | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Preventive | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Preventive | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Preventive | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Preventive | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Preventive | |
| Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Preventive | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)] | Leadership and high level objectives | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
| Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Audits and risk management | Preventive | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and risk management | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Preventive | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Preventive | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Preventive | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Preventive | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Preventive | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Preventive | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Preventive | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Preventive | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Preventive | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Preventive | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Preventive | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Audits and risk management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Preventive | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Preventive | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Preventive | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Preventive | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Preventive | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Preventive | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Preventive | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Preventive | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Preventive | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Preventive | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Preventive | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Preventive | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Preventive | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Audits and risk management | Preventive | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
| Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Preventive | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Preventive | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Preventive | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)] | Audits and risk management | Preventive | |
| Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b) The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)] | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
| Include the purpose in the audit report. CC ID 17263 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
| Include written agreements in the audit report. CC ID 17266 | Audits and risk management | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Preventive | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Preventive | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Preventive | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Preventive | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Preventive | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Preventive | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Preventive | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Preventive | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Preventive | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Detective | |
| Review past audit reports. CC ID 01155 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)] | Audits and risk management | Detective | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Detective | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Audits and risk management | Preventive | |
| Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Preventive | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Preventive | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Preventive | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Preventive | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Preventive | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Preventive | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.] | Audits and risk management | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Preventive | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Preventive | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Preventive | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Detective | |
| Accept the audit report. CC ID 07025 | Audits and risk management | Preventive | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Corrective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.] | Audits and risk management | Preventive | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Preventive | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.] | Audits and risk management | Preventive | |
| Include goals and targets in the disclosure report. CC ID 16339 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Audits and risk management | Preventive | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Audits and risk management | Preventive | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Audits and risk management | Preventive | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Audits and risk management | Preventive | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Audits and risk management | Preventive | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)] | Audits and risk management | Preventive | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Audits and risk management | Preventive | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Audits and risk management | Preventive | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Audits and risk management | Preventive | |
| Include the governance structure in the disclosure report. CC ID 15840 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)] | Audits and risk management | Preventive | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Audits and risk management | Preventive | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Audits and risk management | Preventive | |
| Include the ownership structure in the disclosure report. CC ID 15822 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)] | Audits and risk management | Preventive | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
| Document all training in a training record. CC ID 01423 | Human Resources management | Detective | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Preventive | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Preventive | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Preventive | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Preventive | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e) The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.] | Human Resources management | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Preventive | |
| Include contact details in the registration database. CC ID 15109 [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3. As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d) As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g) As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)] | Operational management | Preventive | |
| Include personal data in the registration database, as necessary. CC ID 15108 | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1] | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)] | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2 The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1] | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Privacy protection for information and data | Preventive | |
| Structure the language of compliance documents. CC ID 06098 | Harmonization Methods and Manual of Style | Preventive | |
| Standardize word usage. CC ID 06104 | Harmonization Methods and Manual of Style | Preventive | |
| Write policies and instructions using clear and conspicuous language. CC ID 16286 [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Harmonization Methods and Manual of Style | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Preventive | |
| Define the qualification requirements for auditors. CC ID 17259 [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a) Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3. The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d) {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1 Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1 A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a) A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b) The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1 In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1. Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2. Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.] | Audits and risk management | Preventive | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Corrective | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
| Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Preventive | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1 Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources management | Preventive | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.] | Human Resources management | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
| Include ethical culture in the security awareness program. CC ID 12801 | Human Resources management | Preventive | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Preventive | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1. The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Human Resources management | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Detective | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Detective | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Preventive | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Detective | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Preventive | |
| Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Detective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Preventive | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Detective | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Detective | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Human Resources management | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Preventive | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Preventive | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Preventive | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Detective | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Preventive | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Preventive | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Detective | |
| Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Detective | |
| Mitigate the threats to an auditor's independence. CC ID 17282 [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1 In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and risk management | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Privacy protection for information and data | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Preventive | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)] | Leadership and high level objectives | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Detective | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Preventive | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Preventive | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Preventive | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Preventive | |
| Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Detective | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.] | Audits and risk management | Detective | |
| Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Detective | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Detective | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the implementation status of in scope controls. CC ID 06981 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Detective | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Preventive | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
| Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
| Submit an audit report that is complete. CC ID 01145 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Detective | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Detective | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Detective | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Detective | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d) The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.] | Human Resources management | Detective | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
| Conduct tests and evaluate training. CC ID 06672 [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.] | Human Resources management | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
| Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Preventive | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Preventive | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Preventive | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Preventive | |
| Include risk management in the security awareness program. CC ID 13040 | Human Resources management | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
| Include cloud security in the security awareness program. CC ID 13039 | Human Resources management | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
| Conduct tampering prevention training. CC ID 11875 | Human Resources management | Preventive | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Preventive | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Preventive | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Preventive | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Preventive | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Preventive | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Business Processes | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1 If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2. {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Monitoring and measurement | Behavior | |
| Assign the Board of Directors to address audit findings. CC ID 12396 | Audits and risk management | Human Resources Management | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Audits and Risk Management | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
| Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
| Conduct secure coding and development training for developers. CC ID 06822 | Human Resources management | Behavior | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Business Processes | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2] | Privacy protection for information and data | Communicate | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Enforce a continuous Quality Control system. CC ID 01005 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h) The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Leadership and high level objectives | Business Processes | |
| Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Testing | |
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Business Processes | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Business Processes | |
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Investigate | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Business Processes | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Process or Activity | |
| Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Testing | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Process or Activity | |
| Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Process or Activity | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Investigate | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.] | Audits and risk management | Testing | |
| Review the external audit assertion for accuracy. CC ID 06977 | Audits and risk management | Testing | |
| Review the risk assessments as compared to the in scope controls. CC ID 06978 | Audits and risk management | Testing | |
| Include nondisclosure agreements in external auditor outsourcing contracts. CC ID 10014 | Audits and risk management | Audits and Risk Management | |
| Determine if requested services create a threat to independence. CC ID 16823 [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)] | Audits and risk management | Audits and Risk Management | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Audit information systems, as necessary. CC ID 13010 | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
| Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the implementation status of in scope controls. CC ID 06981 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Testing | |
| Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Audits and Risk Management | |
| Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
| Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
| Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
| Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
| Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Audits and Risk Management | |
| Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Establish/Maintain Documentation | |
| Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
| Review past audit reports. CC ID 01155 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)] | Audits and risk management | Establish/Maintain Documentation | |
| Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Establish/Maintain Documentation | |
| Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
| Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Log Management | |
| Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Establish/Maintain Documentation | |
| Submit an audit report that is complete. CC ID 01145 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Testing | |
| Review management's response to issues raised in past audit reports. CC ID 01149 | Audits and risk management | Audits and Risk Management | |
| Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Testing | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
| Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain the audit plan. CC ID 01156 | Audits and risk management | Testing | |
| Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Testing | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d) The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.] | Human Resources management | Testing | |
| Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
| Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
| Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
| Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
| Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
| Document all training in a training record. CC ID 01423 | Human Resources management | Establish/Maintain Documentation | |
| Conduct tests and evaluate training. CC ID 06672 [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.] | Human Resources management | Testing | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
| Monitor and measure the effectiveness of security awareness. CC ID 06262 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze and evaluate training records to improve the training program. CC ID 06380 | Human Resources management | Monitor and Evaluate Occurrences | |
| Grant registration after competence and integrity is verified. CC ID 16802 [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1 {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2] | Operational management | Behavior | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain communication protocols. CC ID 12245 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Leadership and high level objectives | Actionable Reports or Measurements | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.] | Leadership and high level objectives | Communicate | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Process or Activity | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Communicate | |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Communicate | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a) {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
| Include resource management in the quality management system. CC ID 15026 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)] | Leadership and high level objectives | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b) The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Communicate | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Business Processes | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Business Processes | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Business Processes | |
| Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Business Processes | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Testing | |
| Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Process or Activity | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Process or Activity | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Business Processes | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Testing | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Business Processes | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Testing | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Testing | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Testing | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Communicate | |
| Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Business Processes | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Process or Activity | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Process or Activity | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Business Processes | |
| Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Data and Information Management | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Data and Information Management | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Communicate | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain financial reports. CC ID 14770 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Human Resources Management | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.] | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Statement of Compliance. CC ID 12499 | Audits and risk management | Establish/Maintain Documentation | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)] | Audits and risk management | Communicate | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)] | Audits and risk management | Establish Roles | |
| Manage supply chain audits. CC ID 01203 | Audits and risk management | Audits and Risk Management | |
| Review the external auditors involvement in assessing Information Technology controls. CC ID 01204 | Audits and risk management | Audits and Risk Management | |
| Rotate auditors, as necessary. CC ID 15589 [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.] | Audits and risk management | Audits and Risk Management | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1. Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2. Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.] | Audits and risk management | Business Processes | |
| Define the qualification requirements for auditors. CC ID 17259 [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a) Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3. The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d) {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1 Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1 A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a) A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b) The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1 In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1. Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2. Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.] | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Audits and risk management | Communicate | |
| Assign the roles and responsibilities for the Board of Directors and senior management in the Audit function. CC ID 00679 | Audits and risk management | Establish Roles | |
| Assign the internal audit staff to be independent from business units reporting to the Board of Directors. CC ID 01184 | Audits and risk management | Establish Roles | |
| Define and assign the internal audit manager's roles and responsibilities. CC ID 00680 | Audits and risk management | Establish Roles | |
| Assign the internal audit manager's compensation and performance review to the Board of Directors or audit committee. CC ID 01186 | Audits and risk management | Establish Roles | |
| Define and assign the internal audit staff's roles and responsibilities. CC ID 00681 | Audits and risk management | Establish Roles | |
| Assign the responsibility for operating an internal control system to the internal audit staff. CC ID 01187 | Audits and risk management | Establish Roles | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.] | Audits and risk management | Establish Roles | |
| Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 | Audits and risk management | Audits and Risk Management | |
| Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
| Include a change control clause in external auditor outsourcing contracts. CC ID 01192 | Audits and risk management | Establish/Maintain Documentation | |
| Include procedures for resolving problems in external auditor outsourcing contracts. CC ID 01196 | Audits and risk management | Establish/Maintain Documentation | |
| Include procedures for controlling the use of restricted information in external auditor outsourcing contracts. CC ID 01194 | Audits and risk management | Establish/Maintain Documentation | |
| Include reports and work paper Records Management practices in external auditor outsourcing contracts. CC ID 01195 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in external auditor outsourcing contracts. CC ID 01201 | Audits and risk management | Establish/Maintain Documentation | |
| Review the external audit scope, as necessary. CC ID 01202 | Audits and risk management | Audits and Risk Management | |
| Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Establish/Maintain Documentation | |
| Include work status reporting requirements in the external auditor outsourcing contracts. CC ID 01191 | Audits and risk management | Establish/Maintain Documentation | |
| Include access to work papers in external auditor outsourcing contracts. CC ID 01193 | Audits and risk management | Establish/Maintain Documentation | |
| Review the external auditor's qualifications. CC ID 01197 | Audits and risk management | Audits and Risk Management | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1. The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Audits and risk management | Audits and Risk Management | |
| Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 | Audits and risk management | Establish/Maintain Documentation | |
| Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200 | Audits and risk management | Establish/Maintain Documentation | |
| Question external auditors about how audits were conducted and what is in the audit reports. CC ID 04587 | Audits and risk management | Behavior | |
| Disseminate and communicate with the organization about any missing audit documentation. CC ID 06992 | Audits and risk management | Behavior | |
| Evaluate any refusal by the organization to provide missing audit documentation. CC ID 06993 | Audits and risk management | Establish/Maintain Documentation | |
| Take appropriate action if missing audit documentation compromises the audit. CC ID 06994 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
| Assign the audit to impartial auditors. CC ID 07118 [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1. {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.] | Audits and risk management | Establish Roles | |
| Define what constitutes a threat to independence. CC ID 16824 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and risk management | Audits and Risk Management | |
| Mitigate the threats to an auditor's independence. CC ID 17282 [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1 In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and risk management | Process or Activity | |
| Exercise due professional care during the planning and performance of the audit. CC ID 07119 | Audits and risk management | Behavior | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Establish/Maintain Documentation | |
| Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Audits and Risk Management | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Establish/Maintain Documentation | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
| Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
| Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Establish/Maintain Documentation | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
| Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Audits and Risk Management | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
| Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Establish/Maintain Documentation | |
| Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Establish/Maintain Documentation | |
| Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Establish/Maintain Documentation | |
| Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
| Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
| Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
| Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Communicate | |
| Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Establish/Maintain Documentation | |
| Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Audits and risk management | Establish/Maintain Documentation | |
| Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
| Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Establish/Maintain Documentation | |
| Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Establish/Maintain Documentation | |
| Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Establish/Maintain Documentation | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1. Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Audits and risk management | Audits and Risk Management | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Actionable Reports or Measurements | |
| Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
| Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)] | Audits and risk management | Establish/Maintain Documentation | |
| Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Audit policies, standards, and procedures. CC ID 12927 | Audits and risk management | Audits and Risk Management | |
| Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
| Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
| Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 | Audits and risk management | Testing | |
| Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
| Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
| Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
| Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b) The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Audits and Risk Management | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
| Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
| Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
| Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Monitor and Evaluate Occurrences | |
| Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Business Processes | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.] | Audits and risk management | Audits and Risk Management | |
| Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Business Processes | |
| Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the audit report. CC ID 17263 | Audits and risk management | Establish/Maintain Documentation | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
| Include written agreements in the audit report. CC ID 17266 | Audits and risk management | Establish/Maintain Documentation | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
| Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Actionable Reports or Measurements | |
| Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Actionable Reports or Measurements | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)] | Audits and risk management | Actionable Reports or Measurements | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Actionable Reports or Measurements | |
| Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
| Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Establish/Maintain Documentation | |
| Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Establish/Maintain Documentation | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Establish/Maintain Documentation | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and risk management | Audits and Risk Management | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Actionable Reports or Measurements | |
| Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Establish/Maintain Documentation | |
| Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Establish/Maintain Documentation | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Audits and Risk Management | |
| Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
| Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Behavior | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Audits and risk management | Establish/Maintain Documentation | |
| Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Establish/Maintain Documentation | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Establish/Maintain Documentation | |
| Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
| Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Establish/Maintain Documentation | |
| Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Establish/Maintain Documentation | |
| Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Actionable Reports or Measurements | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
| Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Behavior | |
| Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Establish/Maintain Documentation | |
| Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Establish/Maintain Documentation | |
| Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Business Processes | |
| Accept the audit report. CC ID 07025 | Audits and risk management | Establish/Maintain Documentation | |
| Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Human Resources Management | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.] | Audits and risk management | Establish/Maintain Documentation | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a risk management program. CC ID 12051 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
| Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.] | Audits and risk management | Establish/Maintain Documentation | |
| Include goals and targets in the disclosure report. CC ID 16339 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Audits and risk management | Establish/Maintain Documentation | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Audits and risk management | Establish/Maintain Documentation | |
| Include the governance structure in the disclosure report. CC ID 15840 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Audits and risk management | Establish/Maintain Documentation | |
| Include the ownership structure in the disclosure report. CC ID 15822 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.] | Audits and risk management | Communicate | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Human Resources Management | |
| Define and assign audit committees, as necessary. CC ID 14788 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1 Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources management | Human Resources Management | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
| Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
| Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
| Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
| Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
| Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
| Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
| Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
| Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Communicate | |
| Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
| Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
| Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties, as necessary. CC ID 00785 [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.] | Human Resources management | Behavior | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Training | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Human Resources management | Business Processes | |
| Support certification programs as viable training programs. CC ID 13268 [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.] | Human Resources management | Human Resources Management | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
| Retrain all personnel, as necessary. CC ID 01362 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1] | Human Resources management | Behavior | |
| Tailor training to meet published guidance on the subject being taught. CC ID 02217 | Human Resources management | Behavior | |
| Tailor training to be taught at each person's level of responsibility. CC ID 06674 | Human Resources management | Behavior | |
| Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 | Human Resources management | Behavior | |
| Use automated mechanisms in the training environment, where appropriate. CC ID 06752 | Human Resources management | Behavior | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
| Review the current published guidance and awareness and training programs. CC ID 01245 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain training plans. CC ID 00828 | Human Resources management | Establish/Maintain Documentation | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Training | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
| Develop or acquire content to update the training plans. CC ID 12867 | Human Resources management | Training | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Training | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
| Include ethical culture in the security awareness program. CC ID 12801 | Human Resources management | Human Resources Management | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Training | |
| Include in scope external requirements in the training plan, as necessary. CC ID 13041 | Human Resources management | Training | |
| Include duties and responsibilities in the training plan, as necessary. CC ID 12800 | Human Resources management | Human Resources Management | |
| Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 | Human Resources management | Training | |
| Include risk management in the security awareness program. CC ID 13040 | Human Resources management | Training | |
| Conduct Archives and Records Management training. CC ID 00975 | Human Resources management | Behavior | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Include cloud security in the security awareness program. CC ID 13039 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness program. CC ID 11746 | Human Resources management | Establish/Maintain Documentation | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include safeguards for information systems in the security awareness program. CC ID 13046 | Human Resources management | Establish/Maintain Documentation | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Training | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Training | |
| Include security policies and security standards in the security awareness program. CC ID 13045 | Human Resources management | Establish/Maintain Documentation | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Training | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Training | |
| Include mobile device security guidelines in the security awareness program. CC ID 11803 | Human Resources management | Establish/Maintain Documentation | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 | Human Resources management | Establish/Maintain Documentation | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 | Human Resources management | Human Resources Management | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 | Human Resources management | Behavior | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
| Conduct tampering prevention training. CC ID 11875 | Human Resources management | Training | |
| Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 | Human Resources management | Training | |
| Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 | Human Resources management | Training | |
| Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 | Human Resources management | Training | |
| Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 | Human Resources management | Training | |
| Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 | Human Resources management | Training | |
| Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 | Human Resources management | Training | |
| Conduct crime prevention training. CC ID 06350 | Human Resources management | Behavior | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e) The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.] | Human Resources management | Establish/Maintain Documentation | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Establish/Maintain Documentation | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Human Resources management | Monitor and Evaluate Occurrences | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)] | Human Resources management | Communicate | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1. The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Human Resources management | Human Resources Management | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Communicate | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Behavior | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Investigate | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Behavior | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Monitor and Evaluate Occurrences | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Business Processes | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Communicate | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Behavior | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources management | Human Resources Management | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Human Resources Management | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Human Resources Management | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Establish Roles | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Behavior | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Behavior | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Behavior | |
| Establish, implement, and maintain a registration database. CC ID 15048 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2. Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1 Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Operational management | Data and Information Management | |
| Implement access restrictions for information in the registration database. CC ID 17235 | Operational management | Data and Information Management | |
| Include registration numbers in the registration database. CC ID 17272 [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)] | Operational management | Data and Information Management | |
| Include electronic signatures in the registration database. CC ID 17281 [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1] | Operational management | Data and Information Management | |
| Include other registrations in the registration database. CC ID 17274 [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)] | Operational management | Data and Information Management | |
| Include the owners and shareholders in the registration database. CC ID 17273 [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)] | Operational management | Data and Information Management | |
| Include contact details in the registration database. CC ID 15109 [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3. As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d) As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g) As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)] | Operational management | Establish/Maintain Documentation | |
| Include personal data in the registration database, as necessary. CC ID 15108 | Operational management | Establish/Maintain Documentation | |
| Publish the registration information in the registration database in an official language. CC ID 17280 [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1. Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1] | Operational management | Data and Information Management | |
| Make the registration database available to the public. CC ID 15107 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Operational management | Communicate | |
| Maintain non-public information in a protected area in the registration database. CC ID 17237 | Operational management | Data and Information Management | |
| Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 | Operational management | Business Processes | |
| Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 | Operational management | Data and Information Management | |
| Update registration information upon changes. CC ID 17275 [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1] | Operational management | Data and Information Management | |
| Maintain the accuracy of registry information published in registration databases. CC ID 16402 | Operational management | Data and Information Management | |
| Maintain ease of use for information in the registration database. CC ID 17239 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Operational management | Data and Information Management | |
| Include all required information in the registration database. CC ID 15106 [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c) As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e) {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2. {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2. As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b) {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.] | Operational management | Data and Information Management | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Notify the supervisory authority. CC ID 00472 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 | Privacy protection for information and data | Behavior | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Communicate | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Communicate | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2 The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)] | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)] | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1. Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1 The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)] | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.] | Privacy protection for information and data | Behavior | |
| Structure the language of compliance documents. CC ID 06098 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Standardize word usage. CC ID 06104 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Write policies and instructions using clear and conspicuous language. CC ID 16286 [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |