0003964
Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC
European Parliament
Regulations
Free
European SOX
Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC
Not Defined
The document as a whole was last reviewed and released on 2024-12-02T00:00:00-0800.
0003964
Free
European Parliament
Regulations
European SOX
Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC
Not Defined
The document as a whole was last reviewed and released on 2024-12-02T00:00:00-0800.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Directive 2006/43/EC of the European Parliament and of the Council of 17 May 2006 on statutory audits of annual accounts and consolidated accounts, amending Council Directives 78/660/EEC and 83/349/EEC and repealing Council Directive 84/253/EEC are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Audits and risk management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)] | Communicate | Preventive | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)] | Establish Roles | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.] | Audits and Risk Management | Preventive | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1. Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2. Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.] | Business Processes | Preventive | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 [Member States shall ensure that the audited entity and the statutory auditor or audit firm inform the authority or authorities responsible for public oversight concerning the dismissal or resignation of the statutory auditor or audit firm during the term of appointment and give an adequate explanation of the reasons therefor. Article 38 2.] | Communicate | Preventive | |
| Define the qualification requirements for auditors. CC ID 17259 [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a) Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3. The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d) {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1 Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1 A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a) A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b) The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1 In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1. Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2. Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.] | Human Resources Management | Preventive | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Communicate | Preventive | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.] | Testing | Detective | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.] | Establish Roles | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Establish/Maintain Documentation | Preventive | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1. The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Audits and Risk Management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1. {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.] | Establish Roles | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and Risk Management | Preventive | |
| Mitigate the threats to an auditor's independence. CC ID 17282 [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1 In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Process or Activity | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)] | Audits and Risk Management | Detective | |
| Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit terms. CC ID 13880 | Establish/Maintain Documentation | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Establish/Maintain Documentation | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and Risk Management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Establish/Maintain Documentation | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and Risk Management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1] | Audits and Risk Management | Detective | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1. Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Audits and Risk Management | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Actionable Reports or Measurements | Preventive | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)] | Establish/Maintain Documentation | Preventive | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Testing | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Testing | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and Risk Management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and Risk Management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
| Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b) The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)] | Establish/Maintain Documentation | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and Risk Management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.] | Audits and Risk Management | Preventive | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 | Establish/Maintain Documentation | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
| Include the purpose in the audit report. CC ID 17263 | Establish/Maintain Documentation | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
| Include written agreements in the audit report. CC ID 17266 | Establish/Maintain Documentation | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)] | Actionable Reports or Measurements | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Establish/Maintain Documentation | Preventive | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and Risk Management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
| Review past audit reports. CC ID 01155 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)] | Establish/Maintain Documentation | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Establish/Maintain Documentation | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.] | Establish/Maintain Documentation | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
| Submit an audit report that is complete. CC ID 01145 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Testing | Detective | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.] | Establish/Maintain Documentation | Preventive | |
| Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and Risk Management | Preventive | |
| Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Testing | Detective | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.] | Establish/Maintain Documentation | Preventive | |
| Include a summary of the questions and statements from surveys or studies in the disclosure report. CC ID 15631 | Establish/Maintain Documentation | Preventive | |
| Include a statement that confidential information has been omitted in the disclosure report. CC ID 16598 | Establish/Maintain Documentation | Preventive | |
| Include legal proceedings in the disclosure report. CC ID 15564 | Establish/Maintain Documentation | Preventive | |
| Include the context of monetary losses from legal proceedings in the disclosure report. CC ID 15533 | Establish/Maintain Documentation | Preventive | |
| Include the nature of monetary losses from legal proceedings in the disclosure report. CC ID 15532 | Establish/Maintain Documentation | Preventive | |
| Include goals and targets in the disclosure report. CC ID 16339 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Establish/Maintain Documentation | Preventive | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Establish/Maintain Documentation | Preventive | |
| Include the relationship between organizational requirements and external requirements in the disclosure report. CC ID 16154 | Establish/Maintain Documentation | Preventive | |
| Include external requirements in the disclosure report. CC ID 16150 | Establish/Maintain Documentation | Preventive | |
| Include the classification of risks and opportunities posed by climate change in the disclosure report. CC ID 16096 | Establish/Maintain Documentation | Preventive | |
| Include board oversight of risks and opportunities in the disclosure report. CC ID 16337 | Establish/Maintain Documentation | Preventive | |
| Include risk management procedures in the disclosure report. CC ID 16058 | Establish/Maintain Documentation | Preventive | |
| Include the risk management strategy in the disclosure report. CC ID 16348 | Establish/Maintain Documentation | Preventive | |
| Include risk assessment procedures in the disclosure report. CC ID 16343 | Establish/Maintain Documentation | Preventive | |
| Include the organization's primary activities in the disclosure report. CC ID 16043 | Establish/Maintain Documentation | Preventive | |
| Include business operations owned by the organization in the disclosure report. CC ID 15614 | Establish/Maintain Documentation | Preventive | |
| Include critical business operations that support cloud services in the disclosure report. CC ID 15612 | Establish/Maintain Documentation | Preventive | |
| Include the relationship between the tax strategy and the organizational strategy in the disclosure report. CC ID 16035 | Establish/Maintain Documentation | Preventive | |
| Include reference to assurance statements in the disclosure report. CC ID 16033 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: an indication of when the last quality assurance review referred to in Article 29 took place; Article 40 1.(e)] | Establish/Maintain Documentation | Preventive | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Establish/Maintain Documentation | Preventive | |
| Include metrics in the disclosure report. CC ID 15916 | Establish/Maintain Documentation | Preventive | |
| Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952 | Actionable Reports or Measurements | Detective | |
| Include the number of individuals in each region in the disclosure report. CC ID 15835 | Establish/Maintain Documentation | Preventive | |
| Include the number of individuals in each gender category in the disclosure report. CC ID 15633 | Establish/Maintain Documentation | Preventive | |
| Include the total number of incidents of discrimination in the disclosure report. CC ID 15788 | Establish/Maintain Documentation | Preventive | |
| Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870 | Establish/Maintain Documentation | Preventive | |
| Include metrics criteria in the disclosure report. CC ID 16143 | Establish/Maintain Documentation | Preventive | |
| Include risk management metrics in the disclosure report. CC ID 16345 | Establish/Maintain Documentation | Preventive | |
| Include financial management metrics in the disclosure report. CC ID 16042 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: financial information showing the importance of the audit firm, such as the total turnover divided into fees from the statutory audit of annual and consolidated accounts, and fees charged for other assurance services, tax advisory services and other non-audit services; Article 40 1.(i)] | Establish/Maintain Documentation | Preventive | |
| Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101 | Actionable Reports or Measurements | Detective | |
| Include revenues in the disclosure report. CC ID 16099 | Actionable Reports or Measurements | Detective | |
| Include the economic value distributed in the disclosure report. CC ID 16086 | Actionable Reports or Measurements | Detective | |
| Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092 | Actionable Reports or Measurements | Detective | |
| Include total monetary value of payments to governments in the disclosure report. CC ID 16091 | Actionable Reports or Measurements | Detective | |
| Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090 | Actionable Reports or Measurements | Detective | |
| Include total monetary value of community investments in the disclosure report. CC ID 16089 | Actionable Reports or Measurements | Detective | |
| Include operating costs in the disclosure report. CC ID 16088 | Actionable Reports or Measurements | Detective | |
| Include economic value retained in the disclosure report. CC ID 16094 | Actionable Reports or Measurements | Detective | |
| Include the direct economic value generated and distributed in the disclosure report. CC ID 16085 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105 | Actionable Reports or Measurements | Detective | |
| Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104 | Establish/Maintain Documentation | Preventive | |
| Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095 | Actionable Reports or Measurements | Detective | |
| Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048 | Actionable Reports or Measurements | Detective | |
| Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046 | Actionable Reports or Measurements | Detective | |
| Include revenues from third party sales in the disclosure report. CC ID 16045 | Actionable Reports or Measurements | Detective | |
| Include the profit and loss before tax in the disclosure report. CC ID 16044 | Actionable Reports or Measurements | Detective | |
| Include metrics on anti-corruption in the disclosure report. CC ID 16052 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073 | Actionable Reports or Measurements | Detective | |
| Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072 | Actionable Reports or Measurements | Detective | |
| Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071 | Actionable Reports or Measurements | Detective | |
| Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070 | Actionable Reports or Measurements | Detective | |
| Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069 | Actionable Reports or Measurements | Detective | |
| Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068 | Actionable Reports or Measurements | Detective | |
| Include the total number of incidents of corruption in the disclosure report. CC ID 16066 | Actionable Reports or Measurements | Detective | |
| Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063 | Actionable Reports or Measurements | Detective | |
| Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062 | Actionable Reports or Measurements | Detective | |
| Include environmental management metrics in the disclosure report. CC ID 16012 | Establish/Maintain Documentation | Preventive | |
| Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038 | Actionable Reports or Measurements | Detective | |
| Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041 | Establish/Maintain Documentation | Preventive | |
| Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032 | Actionable Reports or Measurements | Detective | |
| Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023 | Actionable Reports or Measurements | Detective | |
| Include metrics on procurement practices in the disclosure report. CC ID 16011 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022 | Actionable Reports or Measurements | Detective | |
| Include emissions management metrics in the disclosure report. CC ID 15987 | Establish/Maintain Documentation | Preventive | |
| Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340 | Actionable Reports or Measurements | Detective | |
| Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083 | Actionable Reports or Measurements | Detective | |
| Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081 | Actionable Reports or Measurements | Detective | |
| Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079 | Actionable Reports or Measurements | Detective | |
| Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013 | Actionable Reports or Measurements | Detective | |
| Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009 | Actionable Reports or Measurements | Detective | |
| Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146 | Actionable Reports or Measurements | Detective | |
| Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008 | Actionable Reports or Measurements | Detective | |
| Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007 | Actionable Reports or Measurements | Detective | |
| Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006 | Actionable Reports or Measurements | Detective | |
| Include the total amount of significant air emissions in the disclosure report. CC ID 16005 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of particulate matter in the disclosure report. CC ID 16077 | Actionable Reports or Measurements | Detective | |
| Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076 | Actionable Reports or Measurements | Detective | |
| Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004 | Actionable Reports or Measurements | Detective | |
| Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999 | Actionable Reports or Measurements | Detective | |
| Include compliance metrics in the disclosure report. CC ID 15932 | Establish/Maintain Documentation | Preventive | |
| Include the total number of legal actions against the organization in the disclosure report. CC ID 16003 | Actionable Reports or Measurements | Detective | |
| Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548 | Establish/Maintain Documentation | Preventive | |
| Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950 | Actionable Reports or Measurements | Detective | |
| Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813 | Establish/Maintain Documentation | Preventive | |
| Include metrics on labor-management relations in the disclosure report. CC ID 15935 | Establish/Maintain Documentation | Preventive | |
| Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895 | Establish/Maintain Documentation | Preventive | |
| Include waste management metrics in the disclosure report. CC ID 15925 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163 | Actionable Reports or Measurements | Detective | |
| Include the total volume of significant spills in the disclosure report. CC ID 16010 | Actionable Reports or Measurements | Detective | |
| Include the total number of significant spills in the disclosure report. CC ID 15965 | Actionable Reports or Measurements | Detective | |
| Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of waste generated in the disclosure report. CC ID 15778 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of waste generated in the disclosure report. CC ID 15775 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769 | Establish/Maintain Documentation | Preventive | |
| Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776 | Establish/Maintain Documentation | Preventive | |
| Include product and service management metrics in the disclosure report. CC ID 15917 | Establish/Maintain Documentation | Preventive | |
| Include the performance qualification score of laptops in the disclosure report. CC ID 16176 | Actionable Reports or Measurements | Detective | |
| Include the battery life score of laptops in the disclosure report. CC ID 16175 | Actionable Reports or Measurements | Detective | |
| Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174 | Actionable Reports or Measurements | Detective | |
| Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172 | Actionable Reports or Measurements | Detective | |
| Include the energy efficiency of server processors in the disclosure report. CC ID 16170 | Actionable Reports or Measurements | Detective | |
| Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162 | Actionable Reports or Measurements | Detective | |
| Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159 | Actionable Reports or Measurements | Detective | |
| Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160 | Actionable Reports or Measurements | Detective | |
| Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157 | Actionable Reports or Measurements | Detective | |
| Include the average actual sustained download speed in the disclosure report. CC ID 15568 | Actionable Reports or Measurements | Detective | |
| Include the number of products and services provided by the organization in the disclosure report. CC ID 15833 | Establish/Maintain Documentation | Preventive | |
| Include the average advertised download speed in the disclosure report. CC ID 15567 | Actionable Reports or Measurements | Detective | |
| Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811 | Establish/Maintain Documentation | Preventive | |
| Include water management metrics in the disclosure report. CC ID 15924 | Establish/Maintain Documentation | Preventive | |
| Include the total water withdrawal in the disclosure report. CC ID 15593 | Establish/Maintain Documentation | Preventive | |
| Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of water withdrawal in the disclosure report. CC ID 15795 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949 | Actionable Reports or Measurements | Detective | |
| Include the total water discharge in the disclosure report. CC ID 15758 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of water discharge in the disclosure report. CC ID 15759 | Establish/Maintain Documentation | Preventive | |
| Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760 | Establish/Maintain Documentation | Preventive | |
| Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948 | Actionable Reports or Measurements | Detective | |
| Include the total water consumption in the disclosure report. CC ID 15642 | Establish/Maintain Documentation | Preventive | |
| Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598 | Establish/Maintain Documentation | Preventive | |
| Include the total number of complaints received in the disclosure report. CC ID 15728 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643 | Establish/Maintain Documentation | Preventive | |
| Include employment practices metrics in the disclosure report. CC ID 15921 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: information concerning the basis for the partners' remuneration. Article 40 1.(j)] | Establish/Maintain Documentation | Preventive | |
| Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228 | Actionable Reports or Measurements | Detective | |
| Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217 | Actionable Reports or Measurements | Detective | |
| Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108 | Actionable Reports or Measurements | Detective | |
| Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103 | Actionable Reports or Measurements | Detective | |
| Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002 | Actionable Reports or Measurements | Detective | |
| Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001 | Actionable Reports or Measurements | Detective | |
| Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622 | Actionable Reports or Measurements | Preventive | |
| Include the percentage of offshore employees in the disclosure report. CC ID 15623 | Actionable Reports or Measurements | Preventive | |
| Include the percentage of employee engagement in the disclosure report. CC ID 15634 | Actionable Reports or Measurements | Preventive | |
| Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931 | Actionable Reports or Measurements | Detective | |
| Include the rate of new employee hires in the disclosure report. CC ID 15928 | Actionable Reports or Measurements | Detective | |
| Include the rate of employee turnover in the disclosure report. CC ID 15898 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees who left the organization in the disclosure report. CC ID 16127 | Actionable Reports or Measurements | Detective | |
| Include the total number of new employee hires in the disclosure report. CC ID 15896 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees in the disclosure report. CC ID 15834 | Establish/Maintain Documentation | Preventive | |
| Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214 | Actionable Reports or Measurements | Detective | |
| Include metrics on parental leave in the disclosure report. CC ID 15936 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960 | Actionable Reports or Measurements | Detective | |
| Include the total number of employees that took parental leave in the disclosure report. CC ID 15955 | Actionable Reports or Measurements | Detective | |
| Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946 | Actionable Reports or Measurements | Detective | |
| Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958 | Actionable Reports or Measurements | Detective | |
| Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962 | Actionable Reports or Measurements | Detective | |
| Include the number of hours worked in the disclosure report. CC ID 15910 | Establish/Maintain Documentation | Preventive | |
| Include metrics on public policy advocacy in the disclosure report. CC ID 15947 | Establish/Maintain Documentation | Preventive | |
| Include the total monetary value of political contributions in the disclosure report. CC ID 15803 | Establish/Maintain Documentation | Preventive | |
| Include metrics on training and education in the disclosure report. CC ID 15940 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877 | Establish/Maintain Documentation | Preventive | |
| Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726 | Actionable Reports or Measurements | Preventive | |
| Include operational metrics in the disclosure report. CC ID 15939 | Establish/Maintain Documentation | Preventive | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Establish/Maintain Documentation | Preventive | |
| Include the user average interruption duration in the disclosure report. CC ID 15558 | Actionable Reports or Measurements | Detective | |
| Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618 | Establish/Maintain Documentation | Preventive | |
| Include the system average interruption frequency in the disclosure report. CC ID 15565 | Actionable Reports or Measurements | Detective | |
| Include the total user downtime in the disclosure report. CC ID 15635 | Actionable Reports or Measurements | Preventive | |
| Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606 | Establish/Maintain Documentation | Preventive | |
| Include the total number of operations performed by the organization in the disclosure report. CC ID 15831 | Establish/Maintain Documentation | Preventive | |
| Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649 | Actionable Reports or Measurements | Preventive | |
| Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500 | Actionable Reports or Measurements | Detective | |
| Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792 | Actionable Reports or Measurements | Preventive | |
| Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557 | Establish/Maintain Documentation | Preventive | |
| Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560 | Actionable Reports or Measurements | Detective | |
| Include the number of content removal requests in the disclosure report. CC ID 15647 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640 | Establish/Maintain Documentation | Preventive | |
| Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542 | Establish/Maintain Documentation | Preventive | |
| Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951 | Actionable Reports or Measurements | Detective | |
| Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543 | Establish/Maintain Documentation | Preventive | |
| Include third party management metrics in the disclosure report. CC ID 15923 | Establish/Maintain Documentation | Preventive | |
| Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837 | Establish/Maintain Documentation | Preventive | |
| Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883 | Establish/Maintain Documentation | Preventive | |
| Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886 | Establish/Maintain Documentation | Preventive | |
| Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216 | Actionable Reports or Measurements | Detective | |
| Include metrics on supplier social assessments in the disclosure report. CC ID 15938 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808 | Establish/Maintain Documentation | Preventive | |
| Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805 | Establish/Maintain Documentation | Preventive | |
| Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810 | Establish/Maintain Documentation | Preventive | |
| Include customer health and safety management metrics in the disclosure report. CC ID 15922 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814 | Establish/Maintain Documentation | Preventive | |
| Include energy management metrics in the disclosure report. CC ID 15920 | Establish/Maintain Documentation | Preventive | |
| Include the total energy reduction in the disclosure report. CC ID 15749 | Establish/Maintain Documentation | Preventive | |
| Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751 | Establish/Maintain Documentation | Preventive | |
| Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750 | Establish/Maintain Documentation | Preventive | |
| Include the power usage effectiveness in the disclosure report. CC ID 15552 | Actionable Reports or Measurements | Detective | |
| Include the total heating sold in the disclosure report. CC ID 15739 | Establish/Maintain Documentation | Preventive | |
| Include the energy intensity ratio in the disclosure report. CC ID 15735 | Actionable Reports or Measurements | Preventive | |
| Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746 | Establish/Maintain Documentation | Preventive | |
| Include the total electricity sold in the disclosure report. CC ID 15740 | Establish/Maintain Documentation | Preventive | |
| Include the total energy consumption in the disclosure report. CC ID 15506 | Establish/Maintain Documentation | Preventive | |
| Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744 | Establish/Maintain Documentation | Preventive | |
| Include the total heating consumption in the disclosure report. CC ID 15743 | Establish/Maintain Documentation | Preventive | |
| Include the total cooling sold in the disclosure report. CC ID 15738 | Establish/Maintain Documentation | Preventive | |
| Include the total cooling consumption in the disclosure report. CC ID 15742 | Establish/Maintain Documentation | Preventive | |
| Include the total steam sold in the disclosure report. CC ID 15737 | Establish/Maintain Documentation | Preventive | |
| Include the total steam consumption in the disclosure report. CC ID 15741 | Establish/Maintain Documentation | Preventive | |
| Include the fuel types used in the disclosure report. CC ID 15745 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549 | Actionable Reports or Measurements | Detective | |
| Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541 | Actionable Reports or Measurements | Detective | |
| Include materials management metrics in the disclosure report. CC ID 15919 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563 | Actionable Reports or Measurements | Detective | |
| Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791 | Establish/Maintain Documentation | Preventive | |
| Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562 | Establish/Maintain Documentation | Preventive | |
| Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574 | Actionable Reports or Measurements | Detective | |
| Include the weight of recovered materials in the disclosure report. CC ID 16203 | Actionable Reports or Measurements | Detective | |
| Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578 | Actionable Reports or Measurements | Detective | |
| Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792 | Establish/Maintain Documentation | Preventive | |
| Include occupational health and safety management metrics in the disclosure report. CC ID 15918 | Establish/Maintain Documentation | Preventive | |
| Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891 | Establish/Maintain Documentation | Preventive | |
| Include the total number of work-related injuries in the disclosure report. CC ID 15899 | Establish/Maintain Documentation | Preventive | |
| Include the number of cases of work-related ill health in the disclosure report. CC ID 15914 | Establish/Maintain Documentation | Preventive | |
| Include the rate of work-related injuries in the disclosure report. CC ID 15944 | Actionable Reports or Measurements | Detective | |
| Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943 | Actionable Reports or Measurements | Detective | |
| Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207 | Actionable Reports or Measurements | Detective | |
| Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954 | Actionable Reports or Measurements | Detective | |
| Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942 | Actionable Reports or Measurements | Detective | |
| Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953 | Actionable Reports or Measurements | Detective | |
| Include outsourcing arrangements in the disclosure report. CC ID 15621 | Establish/Maintain Documentation | Preventive | |
| Include business operations outsourced to third parties in the disclosure report. CC ID 15616 | Establish/Maintain Documentation | Preventive | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Establish/Maintain Documentation | Preventive | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Establish/Maintain Documentation | Preventive | |
| Include the content removal policy in the disclosure report. CC ID 15650 | Establish/Maintain Documentation | Preventive | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 | Establish/Maintain Documentation | Preventive | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 | Establish/Maintain Documentation | Preventive | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 | Establish/Maintain Documentation | Preventive | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 | Establish/Maintain Documentation | Preventive | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Establish/Maintain Documentation | Preventive | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Establish/Maintain Documentation | Preventive | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Establish/Maintain Documentation | Preventive | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Establish/Maintain Documentation | Preventive | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Establish/Maintain Documentation | Preventive | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 | Establish/Maintain Documentation | Preventive | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Establish/Maintain Documentation | Preventive | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 | Establish/Maintain Documentation | Preventive | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 | Establish/Maintain Documentation | Preventive | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Establish/Maintain Documentation | Preventive | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Establish/Maintain Documentation | Preventive | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Establish/Maintain Documentation | Preventive | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Establish/Maintain Documentation | Preventive | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Establish/Maintain Documentation | Preventive | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Establish/Maintain Documentation | Preventive | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Establish/Maintain Documentation | Preventive | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Establish/Maintain Documentation | Preventive | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Establish/Maintain Documentation | Preventive | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Establish/Maintain Documentation | Preventive | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Establish/Maintain Documentation | Preventive | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Establish/Maintain Documentation | Preventive | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Establish/Maintain Documentation | Preventive | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Establish/Maintain Documentation | Preventive | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Establish/Maintain Documentation | Preventive | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Establish/Maintain Documentation | Preventive | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Establish/Maintain Documentation | Preventive | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Establish/Maintain Documentation | Preventive | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Establish/Maintain Documentation | Preventive | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Establish/Maintain Documentation | Preventive | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Establish/Maintain Documentation | Preventive | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Establish/Maintain Documentation | Preventive | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Establish/Maintain Documentation | Preventive | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Establish/Maintain Documentation | Preventive | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Establish/Maintain Documentation | Preventive | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Establish/Maintain Documentation | Preventive | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Establish/Maintain Documentation | Preventive | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Establish/Maintain Documentation | Preventive | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Establish/Maintain Documentation | Preventive | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Establish/Maintain Documentation | Preventive | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Establish/Maintain Documentation | Preventive | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Establish/Maintain Documentation | Preventive | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 | Establish/Maintain Documentation | Preventive | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 | Establish/Maintain Documentation | Preventive | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 | Establish/Maintain Documentation | Preventive | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 | Establish/Maintain Documentation | Preventive | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 | Establish/Maintain Documentation | Preventive | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 | Establish/Maintain Documentation | Preventive | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Establish/Maintain Documentation | Preventive | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Establish/Maintain Documentation | Preventive | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Establish/Maintain Documentation | Preventive | |
| Include the employee representation program in the disclosure report. CC ID 15628 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Establish/Maintain Documentation | Preventive | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Establish/Maintain Documentation | Preventive | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Establish/Maintain Documentation | Preventive | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Establish/Maintain Documentation | Preventive | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Establish/Maintain Documentation | Preventive | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Establish/Maintain Documentation | Preventive | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Establish/Maintain Documentation | Preventive | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Establish/Maintain Documentation | Preventive | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Establish/Maintain Documentation | Preventive | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Establish/Maintain Documentation | Preventive | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Establish/Maintain Documentation | Preventive | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Establish/Maintain Documentation | Preventive | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Establish/Maintain Documentation | Preventive | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Establish/Maintain Documentation | Preventive | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Establish/Maintain Documentation | Preventive | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Establish/Maintain Documentation | Preventive | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Establish/Maintain Documentation | Preventive | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Establish/Maintain Documentation | Preventive | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 | Establish/Maintain Documentation | Preventive | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Establish/Maintain Documentation | Preventive | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Establish/Maintain Documentation | Preventive | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Establish/Maintain Documentation | Preventive | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Establish/Maintain Documentation | Preventive | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Establish/Maintain Documentation | Preventive | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Establish/Maintain Documentation | Preventive | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Establish/Maintain Documentation | Preventive | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Establish/Maintain Documentation | Preventive | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Establish/Maintain Documentation | Preventive | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)] | Establish/Maintain Documentation | Preventive | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Establish/Maintain Documentation | Preventive | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Establish/Maintain Documentation | Preventive | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Establish/Maintain Documentation | Preventive | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Establish/Maintain Documentation | Preventive | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Establish/Maintain Documentation | Preventive | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Establish/Maintain Documentation | Preventive | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Establish/Maintain Documentation | Preventive | |
| Include the material of spills in the disclosure report. CC ID 15968 | Establish/Maintain Documentation | Preventive | |
| Include the location of spills in the disclosure report. CC ID 15964 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Establish/Maintain Documentation | Preventive | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Establish/Maintain Documentation | Preventive | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Establish/Maintain Documentation | Preventive | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Establish/Maintain Documentation | Preventive | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 | Establish/Maintain Documentation | Preventive | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 | Establish/Maintain Documentation | Preventive | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Establish/Maintain Documentation | Preventive | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Process or Activity | Preventive | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Establish/Maintain Documentation | Preventive | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Establish/Maintain Documentation | Preventive | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Establish/Maintain Documentation | Preventive | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Establish/Maintain Documentation | Preventive | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Establish/Maintain Documentation | Preventive | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Establish/Maintain Documentation | Preventive | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Establish/Maintain Documentation | Preventive | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Establish/Maintain Documentation | Preventive | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Establish/Maintain Documentation | Preventive | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Establish/Maintain Documentation | Preventive | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Establish/Maintain Documentation | Preventive | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Establish/Maintain Documentation | Preventive | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Establish/Maintain Documentation | Preventive | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Establish/Maintain Documentation | Preventive | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Establish/Maintain Documentation | Preventive | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Establish/Maintain Documentation | Preventive | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 | Establish/Maintain Documentation | Preventive | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 | Establish/Maintain Documentation | Preventive | |
| Include trends in incident type in the disclosure report. CC ID 15510 | Establish/Maintain Documentation | Preventive | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Establish/Maintain Documentation | Preventive | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Establish/Maintain Documentation | Preventive | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Establish/Maintain Documentation | Preventive | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Establish/Maintain Documentation | Preventive | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Establish/Maintain Documentation | Preventive | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Establish/Maintain Documentation | Preventive | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Establish/Maintain Documentation | Preventive | |
| Include water quality standards in the disclosure report. CC ID 15756 | Establish/Maintain Documentation | Preventive | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Establish/Maintain Documentation | Preventive | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 | Establish/Maintain Documentation | Preventive | |
| Include recycling in the disclosure report. CC ID 15579 | Establish/Maintain Documentation | Preventive | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Establish/Maintain Documentation | Preventive | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Establish/Maintain Documentation | Preventive | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Establish/Maintain Documentation | Preventive | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Establish/Maintain Documentation | Preventive | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Establish/Maintain Documentation | Preventive | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Establish/Maintain Documentation | Preventive | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Establish/Maintain Documentation | Preventive | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 | Establish/Maintain Documentation | Preventive | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 | Establish/Maintain Documentation | Preventive | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Establish/Maintain Documentation | Preventive | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Establish/Maintain Documentation | Preventive | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Establish/Maintain Documentation | Preventive | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Establish/Maintain Documentation | Preventive | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 | Establish/Maintain Documentation | Preventive | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 | Establish/Maintain Documentation | Preventive | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 | Establish/Maintain Documentation | Preventive | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Establish/Maintain Documentation | Preventive | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Establish/Maintain Documentation | Preventive | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Establish/Maintain Documentation | Preventive | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 | Establish/Maintain Documentation | Preventive | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Establish/Maintain Documentation | Preventive | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 | Establish/Maintain Documentation | Preventive | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Establish/Maintain Documentation | Preventive | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Establish/Maintain Documentation | Preventive | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the disclosure report. CC ID 15668 | Establish/Maintain Documentation | Preventive | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Establish/Maintain Documentation | Preventive | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 | Establish/Maintain Documentation | Preventive | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 | Establish/Maintain Documentation | Preventive | |
| Include a list of material topics in the disclosure report. CC ID 15656 | Establish/Maintain Documentation | Preventive | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Establish/Maintain Documentation | Preventive | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Establish/Maintain Documentation | Preventive | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Establish/Maintain Documentation | Preventive | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 | Establish/Maintain Documentation | Preventive | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 | Establish/Maintain Documentation | Preventive | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 | Establish/Maintain Documentation | Preventive | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Establish/Maintain Documentation | Preventive | |
| Include the impact duration in the disclosure report. CC ID 16036 | Establish/Maintain Documentation | Preventive | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Establish/Maintain Documentation | Preventive | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 | Establish/Maintain Documentation | Preventive | |
| Refrain from including the same data in other required disclosures, as necessary. CC ID 15732 | Establish/Maintain Documentation | Preventive | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Establish/Maintain Documentation | Preventive | |
| Include risks to the achievement of goals and targets in the disclosure report. CC ID 16166 | Establish/Maintain Documentation | Preventive | |
| Include the timelines for achieving goals and targets in the disclosure report. CC ID 16164 | Establish/Maintain Documentation | Preventive | |
| Include the mechanisms for achieving goals and targets in the disclosure report. CC ID 16144 | Establish/Maintain Documentation | Preventive | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 | Establish/Maintain Documentation | Preventive | |
| Include a justification for disclosures that do not reconcile with data reported in other required disclosures in the disclosure report. CC ID 16053 | Establish/Maintain Documentation | Preventive | |
| Include historical information and future-oriented information in the disclosure report. CC ID 16336 | Establish/Maintain Documentation | Preventive | |
| Include preventive actions in the disclosure report. CC ID 15796 | Establish/Maintain Documentation | Preventive | |
| Include the methodology for reporting future-oriented information in the disclosure report. CC ID 16335 | Establish/Maintain Documentation | Preventive | |
| Include the reporting period in the disclosure report. CC ID 15661 | Establish/Maintain Documentation | Preventive | |
| Include restatements of information from previous reporting periods and an explanation for their use in the disclosure report. CC ID 15827 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the disclosure report. CC ID 15846 | Establish/Maintain Documentation | Preventive | |
| Include the organization's location in the disclosure report. CC ID 16311 | Establish/Maintain Documentation | Preventive | |
| Include how conflicts of interest in roles are handled in the disclosure report. CC ID 15848 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement concerning the audit firm's independence practices which also confirms that an internal review of independence compliance has been conducted; Article 40 1.(g)] | Establish/Maintain Documentation | Preventive | |
| Include the reporting structure in the disclosure report. CC ID 15845 | Establish/Maintain Documentation | Preventive | |
| Include a description of whistleblowing mechanisms in the disclosure report. CC ID 16027 | Establish/Maintain Documentation | Preventive | |
| Include the differences between the list of entities in financial reporting and in sustainability reporting in the disclosure report. CC ID 15874 | Establish/Maintain Documentation | Preventive | |
| Include the governance structure in the disclosure report. CC ID 15840 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)] | Establish/Maintain Documentation | Preventive | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Establish/Maintain Documentation | Preventive | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Establish/Maintain Documentation | Preventive | |
| Include a description of significant fluctuations in the total number of contractors and outsource partners in the disclosure report. CC ID 15839 | Establish/Maintain Documentation | Preventive | |
| Include a description of contractual relationships in the disclosure report. CC ID 15838 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: where the audit firm belongs to a network, a description of the network and the legal and structural arrangements in the network; Article 40 1.(b) Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a list of public-interest entities for which the audit firm has carried out statutory audits during the preceding financial year; Article 40 1.(f)] | Establish/Maintain Documentation | Preventive | |
| Include a description of significant fluctuations in the total number of employees in the disclosure report. CC ID 15836 | Establish/Maintain Documentation | Preventive | |
| Include research findings based on previous and current research methodologies in the disclosure report. CC ID 15630 | Establish/Maintain Documentation | Preventive | |
| Include the methodology used to report numbers in the disclosure report. CC ID 15841 | Establish/Maintain Documentation | Preventive | |
| Include definitions of terms in the disclosure report. CC ID 15832 | Establish/Maintain Documentation | Preventive | |
| Include a description of third party relationships in the disclosure report. CC ID 15830 | Establish/Maintain Documentation | Preventive | |
| Include the type of work performed by contractors and outsource partners in the disclosure report. CC ID 15842 | Establish/Maintain Documentation | Preventive | |
| Include any changes made to information in restatements in the disclosure report. CC ID 15829 | Establish/Maintain Documentation | Preventive | |
| Include the criteria for determining when to use restatements in the disclosure report. CC ID 15828 | Establish/Maintain Documentation | Preventive | |
| Include points of contact in the disclosure report. CC ID 15826 | Establish/Maintain Documentation | Preventive | |
| Include the reason that reporting periods for different reports do not align in the disclosure report. CC ID 15825 | Establish/Maintain Documentation | Preventive | |
| Include a description of how information is consolidated in the disclosure report. CC ID 15824 | Establish/Maintain Documentation | Preventive | |
| Include the legal form of organization in the disclosure report. CC ID 15823 | Establish/Maintain Documentation | Preventive | |
| Include the ownership structure in the disclosure report. CC ID 15822 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)] | Establish/Maintain Documentation | Preventive | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to collect and monitor in scope information in the disclosure report. CC ID 15779 | Establish/Maintain Documentation | Preventive | |
| Refrain from including out of scope information in the disclosure report. CC ID 15793 | Establish/Maintain Documentation | Preventive | |
| Include the processes used to assess third party compliance in the disclosure report. CC ID 15773 | Establish/Maintain Documentation | Preventive | |
| Include the calculation methodology in the disclosure report. CC ID 15733 | Establish/Maintain Documentation | Preventive | |
| Include the rationale for choosing the calculation methodology in the disclosure report. CC ID 15734 | Establish/Maintain Documentation | Preventive | |
| Include the effects of changes to calculation methodologies in the disclosure report. CC ID 16344 | Establish/Maintain Documentation | Preventive | |
| Include the source of conversion factors in the disclosure report. CC ID 15747 | Establish/Maintain Documentation | Preventive | |
| Include known limitations in the disclosure report. CC ID 15669 | Establish/Maintain Documentation | Preventive | |
| Include the lessons learned in the disclosure report. CC ID 15689 | Establish/Maintain Documentation | Preventive | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 | Establish/Maintain Documentation | Preventive | |
| Include whether training requirements apply to third parties in the disclosure report. CC ID 15727 | Establish/Maintain Documentation | Preventive | |
| Include a link to the content index in the disclosure report. CC ID 15666 | Establish/Maintain Documentation | Preventive | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 | Establish/Maintain Documentation | Preventive | |
| Include supplemental disclosures in the disclosure report. CC ID 15629 | Establish/Maintain Documentation | Preventive | |
| Sign the disclosure report. CC ID 17286 [The transparency report shall be signed by the statutory auditor or audit firm, as the case may be. This can be done, for example, by means of an electronic signature as defined in Article 2(1) of Directive 1999/93/EC. Article 40 2.] | Business Processes | Preventive | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.] | Communicate | Preventive | |
Harmonization Methods and Manual of Style | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Harmonization Methods and Manual of Style CC ID 06095 | IT Impact Zone | IT Impact Zone | |
| Structure the language of compliance documents. CC ID 06098 | Establish/Maintain Documentation | Preventive | |
| Standardize word usage. CC ID 06104 | Establish/Maintain Documentation | Preventive | |
| Write policies and instructions using clear and conspicuous language. CC ID 16286 [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Establish/Maintain Documentation | Preventive | |
Human Resources management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources Management | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1 Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources Management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources Management | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d) The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.] | Testing | Detective | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Communicate | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [The statutory auditor or the key audit partner who carries out a statutory audit on behalf of an audit firm shall not be allowed to take up a key management position in the audited entity before a period of at least two years has elapsed since he or she resigned as a statutory auditor or key audit partner from the audit engagement. Article 42 3.] | Communicate | Preventive | |
| Train all personnel and third parties, as necessary. CC ID 00785 [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.] | Behavior | Preventive | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Training | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Business Processes | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.] | Human Resources Management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Establish/Maintain Documentation | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Establish/Maintain Documentation | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Training | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1] | Behavior | Preventive | |
| Conduct tests and evaluate training. CC ID 06672 [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.] | Testing | Detective | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources Management | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Training | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Training | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Training | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Training | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Training | Detective | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Training | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Training | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Establish/Maintain Documentation | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Training | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Training | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Training | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Training | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Establish/Maintain Documentation | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Communicate | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Establish/Maintain Documentation | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Establish/Maintain Documentation | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Establish/Maintain Documentation | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Establish/Maintain Documentation | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Training | Preventive | |
| Document security awareness requirements. CC ID 12146 | Establish/Maintain Documentation | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Training | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Training | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Training | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Training | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Training | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Training | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Training | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Training | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Training | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Training | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Establish/Maintain Documentation | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Establish/Maintain Documentation | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Establish/Maintain Documentation | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources Management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Establish/Maintain Documentation | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources Management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Training | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e) The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.] | Establish/Maintain Documentation | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Establish/Maintain Documentation | Preventive | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Monitor and Evaluate Occurrences | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)] | Communicate | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1. The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Human Resources Management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Communicate | Preventive | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Behavior | Preventive | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Investigate | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Behavior | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Monitor and Evaluate Occurrences | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Monitor and Evaluate Occurrences | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Business Processes | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Business Processes | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Communicate | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Establish/Maintain Documentation | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Behavior | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Behavior | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Business Processes | Corrective | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Behavior | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources Management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources Management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources Management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Establish Roles | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Behavior | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Behavior | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Behavior | Preventive | |
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Business Processes | Preventive | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Actionable Reports or Measurements | Preventive | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Communicate | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.] | Communicate | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Communicate | Preventive | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Establish/Maintain Documentation | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Establish/Maintain Documentation | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Establish/Maintain Documentation | Preventive | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Process or Activity | Preventive | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Establish/Maintain Documentation | Preventive | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)] | Establish/Maintain Documentation | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Communicate | Preventive | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
| Enforce a continuous Quality Control system. CC ID 01005 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h) The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Business Processes | Detective | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a) {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Establish/Maintain Documentation | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Monitor and Evaluate Occurrences | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
| Include resource management in the quality management system. CC ID 15026 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)] | Establish/Maintain Documentation | Preventive | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)] | Systems Design, Build, and Implementation | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [{third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Establish/Maintain Documentation | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Communicate | Preventive | |
| Establish, implement, and maintain a public oversight system. CC ID 17284 [Member States shall organise an effective system of public oversight for statutory auditors and audit firms based on the principles set out in paragraphs 2 to 7. Article 32 1. All statutory auditors and audit firms shall be subject to public oversight. Article 32 2. The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Business Processes | Preventive | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Communicate | Preventive | |
| Establish, implement, and maintain an oversight team. CC ID 17303 | Process or Activity | Preventive | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 [The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3. The system of public oversight shall have the ultimate responsibility for the oversight of: the approval and registration of statutory auditors and audit firms; Article 32 4.(a)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b) The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Establish/Maintain Documentation | Preventive | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Communicate | Preventive | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Business Processes | Preventive | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Business Processes | Preventive | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Business Processes | Preventive | |
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Investigate | Detective | |
| Attach the required information to each funds transfer. CC ID 16756 | Business Processes | Preventive | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Business Processes | Detective | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Business Processes | Preventive | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Testing | Preventive | |
| Include communication protocols in the financial management program. CC ID 16763 | Establish/Maintain Documentation | Preventive | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Process or Activity | Preventive | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Process or Activity | Preventive | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Business Processes | Preventive | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Business Processes | Preventive | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Establish/Maintain Documentation | Preventive | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Process or Activity | Preventive | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Establish/Maintain Documentation | Preventive | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Establish/Maintain Documentation | Preventive | |
| Supplement financial resources, as necessary. CC ID 16685 | Business Processes | Preventive | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Establish/Maintain Documentation | Preventive | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Establish/Maintain Documentation | Preventive | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Establish/Maintain Documentation | Preventive | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Testing | Preventive | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Business Processes | Preventive | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Business Processes | Preventive | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Testing | Preventive | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Testing | Preventive | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Process or Activity | Detective | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Testing | Preventive | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Communicate | Preventive | |
| Identify and document the financial resources available for use. CC ID 16643 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Establish/Maintain Documentation | Preventive | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Business Processes | Preventive | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Establish/Maintain Documentation | Preventive | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Establish/Maintain Documentation | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Establish/Maintain Documentation | Preventive | |
| Include required information in the capital restoration plan. CC ID 16609 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Establish/Maintain Documentation | Preventive | |
| Include investment information in approval requests for investments. CC ID 16590 | Business Processes | Preventive | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Establish/Maintain Documentation | Preventive | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Process or Activity | Preventive | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Establish/Maintain Documentation | Preventive | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Establish/Maintain Documentation | Preventive | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Establish/Maintain Documentation | Preventive | |
| Include pricing structures in the lending policy. CC ID 16724 | Establish/Maintain Documentation | Preventive | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Establish/Maintain Documentation | Preventive | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Establish/Maintain Documentation | Preventive | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Establish/Maintain Documentation | Preventive | |
| Include loan requirements in the lending policy. CC ID 16706 | Establish/Maintain Documentation | Preventive | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Establish/Maintain Documentation | Preventive | |
| Include terms and conditions in the lending policy. CC ID 16695 | Establish/Maintain Documentation | Preventive | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Establish/Maintain Documentation | Preventive | |
| Include geographic areas in the lending policy. CC ID 16691 | Establish/Maintain Documentation | Preventive | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Establish/Maintain Documentation | Preventive | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Establish/Maintain Documentation | Preventive | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Establish/Maintain Documentation | Preventive | |
| Include documentation requirements in the lending policy. CC ID 16617 | Establish/Maintain Documentation | Preventive | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Establish/Maintain Documentation | Preventive | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Establish/Maintain Documentation | Preventive | |
| Include approval requirements in the lending policy. CC ID 16615 | Establish/Maintain Documentation | Preventive | |
| Include reporting requirements in the lending policy. CC ID 16614 | Establish/Maintain Documentation | Preventive | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Establish/Maintain Documentation | Preventive | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Establish/Maintain Documentation | Preventive | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Establish/Maintain Documentation | Preventive | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Establish/Maintain Documentation | Preventive | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Establish/Maintain Documentation | Preventive | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Establish/Maintain Documentation | Preventive | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Establish/Maintain Documentation | Preventive | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Establish/Maintain Documentation | Preventive | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Establish/Maintain Documentation | Preventive | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Establish/Maintain Documentation | Preventive | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Process or Activity | Preventive | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Establish/Maintain Documentation | Preventive | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Establish/Maintain Documentation | Preventive | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Establish/Maintain Documentation | Preventive | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Establish/Maintain Documentation | Preventive | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Establish/Maintain Documentation | Preventive | |
| Include collections in the loan administration procedures. CC ID 16701 | Establish/Maintain Documentation | Preventive | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Establish/Maintain Documentation | Preventive | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Establish/Maintain Documentation | Preventive | |
| Review and approve lending policies. CC ID 16607 | Business Processes | Preventive | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Establish/Maintain Documentation | Preventive | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Business Processes | Preventive | |
| Include valuation models in the margin system. CC ID 16663 | Data and Information Management | Preventive | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Data and Information Management | Preventive | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Data and Information Management | Preventive | |
| Validate the margin system on a regular basis. CC ID 16660 | Testing | Detective | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Process or Activity | Detective | |
| Monitor the performance of the margin system. CC ID 16655 | Monitor and Evaluate Occurrences | Detective | |
| Analyze the performance of the margin system. CC ID 16654 | Process or Activity | Detective | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Business Processes | Preventive | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Establish/Maintain Documentation | Preventive | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Investigate | Detective | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Communicate | Preventive | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Establish/Maintain Documentation | Preventive | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Establish/Maintain Documentation | Preventive | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Establish/Maintain Documentation | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Data and Information Management | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Data and Information Management | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Data and Information Management | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Data and Information Management | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Data and Information Management | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Data and Information Management | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Data and Information Management | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Data and Information Management | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Data and Information Management | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Data and Information Management | Preventive | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Establish/Maintain Documentation | Preventive | |
| Include the call date in the securities transaction notification. CC ID 16680 | Establish/Maintain Documentation | Preventive | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Establish/Maintain Documentation | Preventive | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Establish/Maintain Documentation | Preventive | |
| Include the call price in the securities transaction notification. CC ID 16678 | Establish/Maintain Documentation | Preventive | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Establish/Maintain Documentation | Preventive | |
| Include transactions in the securities transaction notification. CC ID 16676 | Establish/Maintain Documentation | Preventive | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Establish/Maintain Documentation | Preventive | |
| Include yield information in the securities transaction notification. CC ID 16673 | Establish/Maintain Documentation | Preventive | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Establish/Maintain Documentation | Preventive | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Establish/Maintain Documentation | Preventive | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Establish/Maintain Documentation | Preventive | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Establish/Maintain Documentation | Preventive | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Establish/Maintain Documentation | Preventive | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Establish/Maintain Documentation | Preventive | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Establish/Maintain Documentation | Preventive | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Establish/Maintain Documentation | Preventive | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Establish/Maintain Documentation | Preventive | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Establish/Maintain Documentation | Preventive | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Establish/Maintain Documentation | Preventive | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Establish/Maintain Documentation | Preventive | |
| Include requested information in the securities transaction notification. CC ID 16641 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Communicate | Preventive | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)] | Establish/Maintain Documentation | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Establish/Maintain Documentation | Preventive | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Establish/Maintain Documentation | Preventive | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Communicate | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Establish/Maintain Documentation | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Establish/Maintain Documentation | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Establish/Maintain Documentation | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Establish/Maintain Documentation | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Establish/Maintain Documentation | Preventive | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Establish/Maintain Documentation | Preventive | |
| Include assets and liabilities in the call report. CC ID 16729 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Communicate | Preventive | |
Monitoring and measurement | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1 If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2. {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Behavior | Corrective | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.] | Communicate | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Audits and Risk Management | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Records Management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Process or Activity | Preventive | |
| Establish, implement, and maintain a registration database. CC ID 15048 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2. Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1 Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Data and Information Management | Preventive | |
| Grant registration after competence and integrity is verified. CC ID 16802 [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1 {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2] | Behavior | Detective | |
| Implement access restrictions for information in the registration database. CC ID 17235 | Data and Information Management | Preventive | |
| Include registration numbers in the registration database. CC ID 17272 [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)] | Data and Information Management | Preventive | |
| Include electronic signatures in the registration database. CC ID 17281 [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1] | Data and Information Management | Preventive | |
| Include other registrations in the registration database. CC ID 17274 [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)] | Data and Information Management | Preventive | |
| Include the owners and shareholders in the registration database. CC ID 17273 [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)] | Data and Information Management | Preventive | |
| Include contact details in the registration database. CC ID 15109 [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3. As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d) As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g) As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)] | Establish/Maintain Documentation | Preventive | |
| Include personal data in the registration database, as necessary. CC ID 15108 | Establish/Maintain Documentation | Preventive | |
| Publish the registration information in the registration database in an official language. CC ID 17280 [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1. Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1] | Data and Information Management | Preventive | |
| Make the registration database available to the public. CC ID 15107 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Communicate | Preventive | |
| Maintain non-public information in a protected area in the registration database. CC ID 17237 | Data and Information Management | Preventive | |
| Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 | Business Processes | Preventive | |
| Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 | Data and Information Management | Preventive | |
| Update registration information upon changes. CC ID 17275 [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1] | Data and Information Management | Preventive | |
| Maintain the accuracy of registry information published in registration databases. CC ID 16402 | Data and Information Management | Preventive | |
| Maintain ease of use for information in the registration database. CC ID 17239 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Data and Information Management | Preventive | |
| Include all required information in the registration database. CC ID 15106 [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c) As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e) {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2. {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2. As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b) {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.] | Data and Information Management | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Notify the supervisory authority. CC ID 00472 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.] | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1] | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2] | Communicate | Corrective | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)] | Establish/Maintain Documentation | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Process or Activity | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Data and Information Management | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Data and Information Management | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Data and Information Management | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Data and Information Management | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Data and Information Management | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Establish/Maintain Documentation | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Establish/Maintain Documentation | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Business Processes | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 | Behavior | Preventive | |
| Respond to data access requests in an official language. CC ID 17176 | Communicate | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Data and Information Management | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Data and Information Management | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Behavior | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Behavior | Detective | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Business Processes | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Process or Activity | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Establish/Maintain Documentation | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Data and Information Management | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Data and Information Management | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Establish/Maintain Documentation | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Records Management | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Establish/Maintain Documentation | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Records Management | Corrective | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Establish/Maintain Documentation | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Process or Activity | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Establish/Maintain Documentation | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 [Without prejudice to the obligations to which they are subject in judicial proceedings, competent authorities which receive information pursuant to paragraph 1 may use it only for the exercise of their functions within the scope of this Directive and in the context of administrative or judicial proceedings specifically related to the exercise of those functions. Article 36 4. ¶ 4] | Establish Roles | Preventive | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Investigate | Detective | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Technical Security | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Data and Information Management | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Communicate | Corrective | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Records Management | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Data and Information Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Records Management | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Process or Activity | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Records Management | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Data and Information Management | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Establish/Maintain Documentation | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Establish/Maintain Documentation | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Data and Information Management | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Data and Information Management | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Business Processes | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Establish/Maintain Documentation | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Establish/Maintain Documentation | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Data and Information Management | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Data and Information Management | Preventive | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Business Processes | Preventive | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Business Processes | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Data and Information Management | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Data and Information Management | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Data and Information Management | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Data and Information Management | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Data and Information Management | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Data and Information Management | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Data and Information Management | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Data and Information Management | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Data and Information Management | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Data and Information Management | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Data and Information Management | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Business Processes | Preventive | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Communicate | Corrective | |
| Process personal data for the purposes of employment. CC ID 16527 | Data and Information Management | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Data and Information Management | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Data and Information Management | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Data and Information Management | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Data and Information Management | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Data and Information Management | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Data and Information Management | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Data and Information Management | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Data and Information Management | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Data and Information Management | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Data and Information Management | Preventive | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Records Management | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Establish/Maintain Documentation | Preventive | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Communicate | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Data and Information Management | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Data and Information Management | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Communicate | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2 The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1] | Establish/Maintain Documentation | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Data and Information Management | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Data and Information Management | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Data and Information Management | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Data and Information Management | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Data and Information Management | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Data and Information Management | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)] | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Data and Information Management | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Data and Information Management | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Process or Activity | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)] | Data and Information Management | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)] | Data and Information Management | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Data and Information Management | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Data and Information Management | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Data and Information Management | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Data and Information Management | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Data and Information Management | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Data and Information Management | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Data and Information Management | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Data and Information Management | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Data and Information Management | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Communicate | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Data and Information Management | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Process or Activity | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Data and Information Management | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Data and Information Management | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Communicate | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Data and Information Management | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Communicate | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Data and Information Management | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Data and Information Management | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Data and Information Management | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Data and Information Management | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Data and Information Management | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Data and Information Management | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Data and Information Management | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Data and Information Management | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Data and Information Management | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Establish/Maintain Documentation | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1. Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1 The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)] | Data and Information Management | Preventive | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
| Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
| Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
| Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
| Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
| Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Data and Information Management | Preventive | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.] | Behavior | Preventive | |
Technical security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Technical security CC ID 00508 | IT Impact Zone | IT Impact Zone | |
| Enforce information flow control. CC ID 11781 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 [Paragraph 2 shall not prevent competent authorities from exchanging confidential information. Information thus exchanged shall be covered by the obligation of professional secrecy, to which persons employed or formerly employed by competent authorities are subject. Article 36 3.] | Establish/Maintain Documentation | Preventive | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Establish/Maintain Documentation | Preventive | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Establish/Maintain Documentation | Preventive | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 [Paragraph 2 shall not prevent competent authorities from exchanging confidential information. Information thus exchanged shall be covered by the obligation of professional secrecy, to which persons employed or formerly employed by competent authorities are subject. Article 36 3.] | Establish/Maintain Documentation | Preventive | |
| Include communication requirements in the information exchange procedures. CC ID 17026 | Establish/Maintain Documentation | Preventive | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Establish/Maintain Documentation | Preventive | |
| Include contact information in the information exchange procedures. CC ID 17307 | Establish/Maintain Documentation | Preventive | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Establish/Maintain Documentation | Preventive | |
| Include security controls in the information exchange procedures. CC ID 17021 | Establish/Maintain Documentation | Preventive | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Establish/Maintain Documentation | Preventive | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Establish/Maintain Documentation | Preventive | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Establish/Maintain Documentation | Preventive | |
| Test the information exchange procedures. CC ID 17115 | Testing | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Data and Information Management | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Data and Information Management | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Data and Information Management | Preventive | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Log Management | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Acquisition/Sale of Assets or Services | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Leadership and high level objectives | Preventive | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)] | Audits and risk management | Preventive | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
| Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952 | Audits and risk management | Detective | |
| Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107 | Audits and risk management | Detective | |
| Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101 | Audits and risk management | Detective | |
| Include revenues in the disclosure report. CC ID 16099 | Audits and risk management | Detective | |
| Include the economic value distributed in the disclosure report. CC ID 16086 | Audits and risk management | Detective | |
| Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092 | Audits and risk management | Detective | |
| Include total monetary value of payments to governments in the disclosure report. CC ID 16091 | Audits and risk management | Detective | |
| Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090 | Audits and risk management | Detective | |
| Include total monetary value of community investments in the disclosure report. CC ID 16089 | Audits and risk management | Detective | |
| Include operating costs in the disclosure report. CC ID 16088 | Audits and risk management | Detective | |
| Include economic value retained in the disclosure report. CC ID 16094 | Audits and risk management | Detective | |
| Include the direct economic value generated and distributed in the disclosure report. CC ID 16085 | Audits and risk management | Detective | |
| Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087 | Audits and risk management | Detective | |
| Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106 | Audits and risk management | Detective | |
| Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105 | Audits and risk management | Detective | |
| Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102 | Audits and risk management | Detective | |
| Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100 | Audits and risk management | Detective | |
| Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097 | Audits and risk management | Detective | |
| Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095 | Audits and risk management | Detective | |
| Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050 | Audits and risk management | Detective | |
| Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048 | Audits and risk management | Detective | |
| Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046 | Audits and risk management | Detective | |
| Include revenues from third party sales in the disclosure report. CC ID 16045 | Audits and risk management | Detective | |
| Include the profit and loss before tax in the disclosure report. CC ID 16044 | Audits and risk management | Detective | |
| Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073 | Audits and risk management | Detective | |
| Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072 | Audits and risk management | Detective | |
| Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071 | Audits and risk management | Detective | |
| Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070 | Audits and risk management | Detective | |
| Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069 | Audits and risk management | Detective | |
| Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068 | Audits and risk management | Detective | |
| Include the total number of incidents of corruption in the disclosure report. CC ID 16066 | Audits and risk management | Detective | |
| Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063 | Audits and risk management | Detective | |
| Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062 | Audits and risk management | Detective | |
| Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038 | Audits and risk management | Detective | |
| Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032 | Audits and risk management | Detective | |
| Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023 | Audits and risk management | Detective | |
| Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022 | Audits and risk management | Detective | |
| Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340 | Audits and risk management | Detective | |
| Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083 | Audits and risk management | Detective | |
| Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081 | Audits and risk management | Detective | |
| Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079 | Audits and risk management | Detective | |
| Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013 | Audits and risk management | Detective | |
| Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009 | Audits and risk management | Detective | |
| Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146 | Audits and risk management | Detective | |
| Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008 | Audits and risk management | Detective | |
| Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007 | Audits and risk management | Detective | |
| Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006 | Audits and risk management | Detective | |
| Include the total amount of significant air emissions in the disclosure report. CC ID 16005 | Audits and risk management | Detective | |
| Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084 | Audits and risk management | Detective | |
| Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082 | Audits and risk management | Detective | |
| Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080 | Audits and risk management | Detective | |
| Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078 | Audits and risk management | Detective | |
| Include the total emissions of particulate matter in the disclosure report. CC ID 16077 | Audits and risk management | Detective | |
| Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076 | Audits and risk management | Detective | |
| Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004 | Audits and risk management | Detective | |
| Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999 | Audits and risk management | Detective | |
| Include the total number of legal actions against the organization in the disclosure report. CC ID 16003 | Audits and risk management | Detective | |
| Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950 | Audits and risk management | Detective | |
| Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163 | Audits and risk management | Detective | |
| Include the total volume of significant spills in the disclosure report. CC ID 16010 | Audits and risk management | Detective | |
| Include the total number of significant spills in the disclosure report. CC ID 15965 | Audits and risk management | Detective | |
| Include the performance qualification score of laptops in the disclosure report. CC ID 16176 | Audits and risk management | Detective | |
| Include the battery life score of laptops in the disclosure report. CC ID 16175 | Audits and risk management | Detective | |
| Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174 | Audits and risk management | Detective | |
| Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172 | Audits and risk management | Detective | |
| Include the energy efficiency of server processors in the disclosure report. CC ID 16170 | Audits and risk management | Detective | |
| Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162 | Audits and risk management | Detective | |
| Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159 | Audits and risk management | Detective | |
| Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160 | Audits and risk management | Detective | |
| Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157 | Audits and risk management | Detective | |
| Include the average actual sustained download speed in the disclosure report. CC ID 15568 | Audits and risk management | Detective | |
| Include the average advertised download speed in the disclosure report. CC ID 15567 | Audits and risk management | Detective | |
| Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949 | Audits and risk management | Detective | |
| Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948 | Audits and risk management | Detective | |
| Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228 | Audits and risk management | Detective | |
| Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217 | Audits and risk management | Detective | |
| Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108 | Audits and risk management | Detective | |
| Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103 | Audits and risk management | Detective | |
| Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002 | Audits and risk management | Detective | |
| Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001 | Audits and risk management | Detective | |
| Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622 | Audits and risk management | Preventive | |
| Include the percentage of offshore employees in the disclosure report. CC ID 15623 | Audits and risk management | Preventive | |
| Include the percentage of employee engagement in the disclosure report. CC ID 15634 | Audits and risk management | Preventive | |
| Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931 | Audits and risk management | Detective | |
| Include the rate of new employee hires in the disclosure report. CC ID 15928 | Audits and risk management | Detective | |
| Include the total number of employees who left the organization in the disclosure report. CC ID 16127 | Audits and risk management | Detective | |
| Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214 | Audits and risk management | Detective | |
| Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960 | Audits and risk management | Detective | |
| Include the total number of employees that took parental leave in the disclosure report. CC ID 15955 | Audits and risk management | Detective | |
| Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946 | Audits and risk management | Detective | |
| Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958 | Audits and risk management | Detective | |
| Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962 | Audits and risk management | Detective | |
| Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726 | Audits and risk management | Preventive | |
| Include the user average interruption duration in the disclosure report. CC ID 15558 | Audits and risk management | Detective | |
| Include the system average interruption frequency in the disclosure report. CC ID 15565 | Audits and risk management | Detective | |
| Include the total user downtime in the disclosure report. CC ID 15635 | Audits and risk management | Preventive | |
| Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649 | Audits and risk management | Preventive | |
| Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500 | Audits and risk management | Detective | |
| Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792 | Audits and risk management | Preventive | |
| Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560 | Audits and risk management | Detective | |
| Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951 | Audits and risk management | Detective | |
| Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216 | Audits and risk management | Detective | |
| Include the power usage effectiveness in the disclosure report. CC ID 15552 | Audits and risk management | Detective | |
| Include the energy intensity ratio in the disclosure report. CC ID 15735 | Audits and risk management | Preventive | |
| Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549 | Audits and risk management | Detective | |
| Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541 | Audits and risk management | Detective | |
| Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563 | Audits and risk management | Detective | |
| Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574 | Audits and risk management | Detective | |
| Include the weight of recovered materials in the disclosure report. CC ID 16203 | Audits and risk management | Detective | |
| Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578 | Audits and risk management | Detective | |
| Include the rate of work-related injuries in the disclosure report. CC ID 15944 | Audits and risk management | Detective | |
| Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943 | Audits and risk management | Detective | |
| Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207 | Audits and risk management | Detective | |
| Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954 | Audits and risk management | Detective | |
| Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942 | Audits and risk management | Detective | |
| Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953 | Audits and risk management | Detective | |
Audits and Risk Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Monitoring and measurement | Preventive | |
| Rotate auditors, as necessary. CC ID 15589 [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.] | Audits and risk management | Preventive | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1. The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Audits and risk management | Preventive | |
| Define what constitutes a threat to independence. CC ID 16824 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and risk management | Preventive | |
| Determine if requested services create a threat to independence. CC ID 16823 [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)] | Audits and risk management | Detective | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Preventive | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and risk management | Preventive | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1] | Audits and risk management | Detective | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
| Audit in scope audit items and compliance documents. CC ID 06730 [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1. Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Audits and risk management | Preventive | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Detective | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Preventive | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Preventive | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.] | Audits and risk management | Preventive | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and risk management | Preventive | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and risk management | Preventive | |
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1 If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2. {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Monitoring and measurement | Corrective | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
| Train all personnel and third parties, as necessary. CC ID 00785 [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.] | Human Resources management | Preventive | |
| Retrain all personnel, as necessary. CC ID 01362 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1] | Human Resources management | Preventive | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Preventive | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Preventive | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Preventive | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Preventive | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Preventive | |
| Grant registration after competence and integrity is verified. CC ID 16802 [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1 {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2] | Operational management | Detective | |
| Notify the supervisory authority. CC ID 00472 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.] | Privacy protection for information and data | Preventive | |
| Respond to data access requests in a timely manner. CC ID 00421 | Privacy protection for information and data | Preventive | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Detective | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Detective | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.] | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Preventive | |
| Enforce a continuous Quality Control system. CC ID 01005 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h) The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain a public oversight system. CC ID 17284 [Member States shall organise an effective system of public oversight for statutory auditors and audit firms based on the principles set out in paragraphs 2 to 7. Article 32 1. All statutory auditors and audit firms shall be subject to public oversight. Article 32 2. The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Leadership and high level objectives | Preventive | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Preventive | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Preventive | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Preventive | |
| Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Preventive | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Detective | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Preventive | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Preventive | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Preventive | |
| Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Preventive | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Preventive | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Preventive | |
| Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Preventive | |
| Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Preventive | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1. Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2. Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.] | Audits and risk management | Preventive | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
| Sign the disclosure report. CC ID 17286 [The transparency report shall be signed by the statutory auditor or audit firm, as the case may be. This can be done, for example, by means of an electronic signature as defined in Article 2(1) of Directive 1999/93/EC. Article 40 2.] | Audits and risk management | Preventive | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Human Resources management | Preventive | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Preventive | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Preventive | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Corrective | |
| Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 | Operational management | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Preventive | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Privacy protection for information and data | Preventive | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Privacy protection for information and data | Preventive | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Preventive | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.] | Leadership and high level objectives | Preventive | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Leadership and high level objectives | Preventive | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Preventive | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.] | Monitoring and measurement | Preventive | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)] | Audits and risk management | Preventive | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 [Member States shall ensure that the audited entity and the statutory auditor or audit firm inform the authority or authorities responsible for public oversight concerning the dismissal or resignation of the statutory auditor or audit firm during the term of appointment and give an adequate explanation of the reasons therefor. Article 38 2.] | Audits and risk management | Preventive | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Audits and risk management | Preventive | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.] | Audits and risk management | Preventive | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Preventive | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [The statutory auditor or the key audit partner who carries out a statutory audit on behalf of an audit firm shall not be allowed to take up a key management position in the audited entity before a period of at least two years has elapsed since he or she resigned as a statutory auditor or key audit partner from the audit engagement. Article 42 3.] | Human Resources management | Preventive | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Preventive | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)] | Human Resources management | Preventive | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Preventive | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Preventive | |
| Make the registration database available to the public. CC ID 15107 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Operational management | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2] | Privacy protection for information and data | Corrective | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Preventive | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Corrective | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Corrective | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Preventive | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Preventive | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Preventive | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Preventive | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Preventive | |
Configuration | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive | |
Data and Information Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Preventive | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Preventive | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Preventive | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Preventive | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Preventive | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Preventive | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Preventive | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Preventive | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Preventive | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Preventive | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Preventive | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Preventive | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Preventive | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Preventive | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Preventive | |
| Establish, implement, and maintain a registration database. CC ID 15048 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2. Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1 Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Operational management | Preventive | |
| Implement access restrictions for information in the registration database. CC ID 17235 | Operational management | Preventive | |
| Include registration numbers in the registration database. CC ID 17272 [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)] | Operational management | Preventive | |
| Include electronic signatures in the registration database. CC ID 17281 [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1] | Operational management | Preventive | |
| Include other registrations in the registration database. CC ID 17274 [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)] | Operational management | Preventive | |
| Include the owners and shareholders in the registration database. CC ID 17273 [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)] | Operational management | Preventive | |
| Publish the registration information in the registration database in an official language. CC ID 17280 [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1. Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1] | Operational management | Preventive | |
| Maintain non-public information in a protected area in the registration database. CC ID 17237 | Operational management | Preventive | |
| Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 | Operational management | Preventive | |
| Update registration information upon changes. CC ID 17275 [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1] | Operational management | Preventive | |
| Maintain the accuracy of registry information published in registration databases. CC ID 16402 | Operational management | Preventive | |
| Maintain ease of use for information in the registration database. CC ID 17239 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Operational management | Preventive | |
| Include all required information in the registration database. CC ID 15106 [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c) As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e) {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2. {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2. As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b) {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.] | Operational management | Preventive | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Preventive | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Preventive | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Preventive | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Preventive | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Preventive | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Preventive | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Preventive | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Preventive | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Preventive | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Preventive | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Preventive | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Preventive | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Preventive | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Preventive | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Preventive | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Preventive | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Preventive | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Privacy protection for information and data | Preventive | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Preventive | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Preventive | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Preventive | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Preventive | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Preventive | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Preventive | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Preventive | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Preventive | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Preventive | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Preventive | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Preventive | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Preventive | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Preventive | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Preventive | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Preventive | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Preventive | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Preventive | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Preventive | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Preventive | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Preventive | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)] | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Preventive | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)] | Privacy protection for information and data | Preventive | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)] | Privacy protection for information and data | Preventive | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Preventive | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Detective | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Preventive | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Preventive | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Preventive | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Preventive | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Preventive | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Preventive | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Preventive | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Preventive | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Preventive | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Preventive | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Preventive | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Preventive | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Preventive | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Preventive | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1. Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1 The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)] | Privacy protection for information and data | Preventive | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Preventive | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)] | Audits and risk management | Preventive | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.] | Audits and risk management | Preventive | |
| Assign the audit to impartial auditors. CC ID 07118 [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1. {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.] | Audits and risk management | Preventive | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
| Process restricted data lawfully and carefully. CC ID 00086 [Without prejudice to the obligations to which they are subject in judicial proceedings, competent authorities which receive information pursuant to paragraph 1 may use it only for the exercise of their functions within the scope of this Directive and in the context of administrative or judicial proceedings specifically related to the exercise of those functions. Article 36 4. ¶ 4] | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Preventive | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Preventive | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Leadership and high level objectives | Preventive | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)] | Leadership and high level objectives | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a) {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Leadership and high level objectives | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
| Include resource management in the quality management system. CC ID 15026 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Leadership and high level objectives | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)] | Leadership and high level objectives | Preventive | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [{third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Leadership and high level objectives | Preventive | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 [The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3. The system of public oversight shall have the ultimate responsibility for the oversight of: the approval and registration of statutory auditors and audit firms; Article 32 4.(a)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b) The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Preventive | |
| Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Preventive | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Leadership and high level objectives | Preventive | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Preventive | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Preventive | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Preventive | |
| Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Preventive | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Preventive | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Preventive | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Preventive | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Preventive | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Preventive | |
| Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Preventive | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Preventive | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Preventive | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Preventive | |
| Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Preventive | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Preventive | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Preventive | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Preventive | |
| Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Preventive | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Preventive | |
| Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Preventive | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Preventive | |
| Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Preventive | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Preventive | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Preventive | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Preventive | |
| Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Preventive | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Preventive | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Preventive | |
| Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Preventive | |
| Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Preventive | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Preventive | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Preventive | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Preventive | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Preventive | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Preventive | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Preventive | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Preventive | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Preventive | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Preventive | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Preventive | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Preventive | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Preventive | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Preventive | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Preventive | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Preventive | |
| Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Preventive | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Preventive | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Preventive | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Preventive | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Preventive | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Preventive | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Preventive | |
| Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Preventive | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Preventive | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Preventive | |
| Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Preventive | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Preventive | |
| Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Preventive | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Preventive | |
| Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Preventive | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Preventive | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Preventive | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Preventive | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Preventive | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Preventive | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Preventive | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Preventive | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Preventive | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Preventive | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Preventive | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Preventive | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Preventive | |
| Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Preventive | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain financial reports. CC ID 14770 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)] | Leadership and high level objectives | Preventive | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Preventive | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Preventive | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Preventive | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Preventive | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Preventive | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Preventive | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Preventive | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Preventive | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Preventive | |
| Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Audits and risk management | Preventive | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and risk management | Preventive | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Preventive | |
| Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Preventive | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Preventive | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Audits and risk management | Preventive | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Preventive | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)] | Audits and risk management | Preventive | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b) The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)] | Audits and risk management | Preventive | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
| Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Preventive | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
| Include the purpose in the audit report. CC ID 17263 | Audits and risk management | Preventive | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
| Include written agreements in the audit report. CC ID 17266 | Audits and risk management | Preventive | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Preventive | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
| Review past audit reports. CC ID 01155 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)] | Audits and risk management | Detective | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Audits and risk management | Preventive | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.] | Audits and risk management | Preventive | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.] | Audits and risk management | Preventive | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.] | Audits and risk management | Preventive | |
| Include a summary of the questions and statements from surveys or studies in the disclosure report. CC ID 15631 | Audits and risk management | Preventive | |
| Include a statement that confidential information has been omitted in the disclosure report. CC ID 16598 | Audits and risk management | Preventive | |
| Include legal proceedings in the disclosure report. CC ID 15564 | Audits and risk management | Preventive | |
| Include the context of monetary losses from legal proceedings in the disclosure report. CC ID 15533 | Audits and risk management | Preventive | |
| Include the nature of monetary losses from legal proceedings in the disclosure report. CC ID 15532 | Audits and risk management | Preventive | |
| Include goals and targets in the disclosure report. CC ID 16339 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Audits and risk management | Preventive | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Audits and risk management | Preventive | |
| Include the relationship between organizational requirements and external requirements in the disclosure report. CC ID 16154 | Audits and risk management | Preventive | |
| Include external requirements in the disclosure report. CC ID 16150 | Audits and risk management | Preventive | |
| Include the classification of risks and opportunities posed by climate change in the disclosure report. CC ID 16096 | Audits and risk management | Preventive | |
| Include board oversight of risks and opportunities in the disclosure report. CC ID 16337 | Audits and risk management | Preventive | |
| Include risk management procedures in the disclosure report. CC ID 16058 | Audits and risk management | Preventive | |
| Include the risk management strategy in the disclosure report. CC ID 16348 | Audits and risk management | Preventive | |
| Include risk assessment procedures in the disclosure report. CC ID 16343 | Audits and risk management | Preventive | |
| Include the organization's primary activities in the disclosure report. CC ID 16043 | Audits and risk management | Preventive | |
| Include business operations owned by the organization in the disclosure report. CC ID 15614 | Audits and risk management | Preventive | |
| Include critical business operations that support cloud services in the disclosure report. CC ID 15612 | Audits and risk management | Preventive | |
| Include the relationship between the tax strategy and the organizational strategy in the disclosure report. CC ID 16035 | Audits and risk management | Preventive | |
| Include reference to assurance statements in the disclosure report. CC ID 16033 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: an indication of when the last quality assurance review referred to in Article 29 took place; Article 40 1.(e)] | Audits and risk management | Preventive | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Audits and risk management | Preventive | |
| Include metrics in the disclosure report. CC ID 15916 | Audits and risk management | Preventive | |
| Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934 | Audits and risk management | Preventive | |
| Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632 | Audits and risk management | Preventive | |
| Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871 | Audits and risk management | Preventive | |
| Include the number of individuals in each region in the disclosure report. CC ID 15835 | Audits and risk management | Preventive | |
| Include the number of individuals in each gender category in the disclosure report. CC ID 15633 | Audits and risk management | Preventive | |
| Include the total number of incidents of discrimination in the disclosure report. CC ID 15788 | Audits and risk management | Preventive | |
| Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869 | Audits and risk management | Preventive | |
| Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870 | Audits and risk management | Preventive | |
| Include metrics criteria in the disclosure report. CC ID 16143 | Audits and risk management | Preventive | |
| Include risk management metrics in the disclosure report. CC ID 16345 | Audits and risk management | Preventive | |
| Include financial management metrics in the disclosure report. CC ID 16042 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: financial information showing the importance of the audit firm, such as the total turnover divided into fees from the statutory audit of annual and consolidated accounts, and fees charged for other assurance services, tax advisory services and other non-audit services; Article 40 1.(i)] | Audits and risk management | Preventive | |
| Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104 | Audits and risk management | Preventive | |
| Include metrics on anti-corruption in the disclosure report. CC ID 16052 | Audits and risk management | Preventive | |
| Include environmental management metrics in the disclosure report. CC ID 16012 | Audits and risk management | Preventive | |
| Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041 | Audits and risk management | Preventive | |
| Include metrics on procurement practices in the disclosure report. CC ID 16011 | Audits and risk management | Preventive | |
| Include emissions management metrics in the disclosure report. CC ID 15987 | Audits and risk management | Preventive | |
| Include compliance metrics in the disclosure report. CC ID 15932 | Audits and risk management | Preventive | |
| Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548 | Audits and risk management | Preventive | |
| Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813 | Audits and risk management | Preventive | |
| Include metrics on labor-management relations in the disclosure report. CC ID 15935 | Audits and risk management | Preventive | |
| Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895 | Audits and risk management | Preventive | |
| Include waste management metrics in the disclosure report. CC ID 15925 | Audits and risk management | Preventive | |
| Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774 | Audits and risk management | Preventive | |
| Include the total weight of waste generated in the disclosure report. CC ID 15778 | Audits and risk management | Preventive | |
| Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781 | Audits and risk management | Preventive | |
| Include a breakdown of waste generated in the disclosure report. CC ID 15775 | Audits and risk management | Preventive | |
| Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772 | Audits and risk management | Preventive | |
| Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780 | Audits and risk management | Preventive | |
| Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770 | Audits and risk management | Preventive | |
| Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771 | Audits and risk management | Preventive | |
| Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766 | Audits and risk management | Preventive | |
| Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767 | Audits and risk management | Preventive | |
| Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768 | Audits and risk management | Preventive | |
| Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769 | Audits and risk management | Preventive | |
| Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777 | Audits and risk management | Preventive | |
| Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776 | Audits and risk management | Preventive | |
| Include product and service management metrics in the disclosure report. CC ID 15917 | Audits and risk management | Preventive | |
| Include the number of products and services provided by the organization in the disclosure report. CC ID 15833 | Audits and risk management | Preventive | |
| Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811 | Audits and risk management | Preventive | |
| Include water management metrics in the disclosure report. CC ID 15924 | Audits and risk management | Preventive | |
| Include the total water withdrawal in the disclosure report. CC ID 15593 | Audits and risk management | Preventive | |
| Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596 | Audits and risk management | Preventive | |
| Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794 | Audits and risk management | Preventive | |
| Include a breakdown of water withdrawal in the disclosure report. CC ID 15795 | Audits and risk management | Preventive | |
| Include the total water discharge in the disclosure report. CC ID 15758 | Audits and risk management | Preventive | |
| Include a breakdown of water discharge in the disclosure report. CC ID 15759 | Audits and risk management | Preventive | |
| Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760 | Audits and risk management | Preventive | |
| Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797 | Audits and risk management | Preventive | |
| Include the total water consumption in the disclosure report. CC ID 15642 | Audits and risk management | Preventive | |
| Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598 | Audits and risk management | Preventive | |
| Include the total number of complaints received in the disclosure report. CC ID 15728 | Audits and risk management | Preventive | |
| Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643 | Audits and risk management | Preventive | |
| Include employment practices metrics in the disclosure report. CC ID 15921 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: information concerning the basis for the partners' remuneration. Article 40 1.(j)] | Audits and risk management | Preventive | |
| Include the rate of employee turnover in the disclosure report. CC ID 15898 | Audits and risk management | Preventive | |
| Include the total number of new employee hires in the disclosure report. CC ID 15896 | Audits and risk management | Preventive | |
| Include the total number of employees in the disclosure report. CC ID 15834 | Audits and risk management | Preventive | |
| Include metrics on parental leave in the disclosure report. CC ID 15936 | Audits and risk management | Preventive | |
| Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906 | Audits and risk management | Preventive | |
| Include the number of hours worked in the disclosure report. CC ID 15910 | Audits and risk management | Preventive | |
| Include metrics on public policy advocacy in the disclosure report. CC ID 15947 | Audits and risk management | Preventive | |
| Include the total monetary value of political contributions in the disclosure report. CC ID 15803 | Audits and risk management | Preventive | |
| Include metrics on training and education in the disclosure report. CC ID 15940 | Audits and risk management | Preventive | |
| Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877 | Audits and risk management | Preventive | |
| Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881 | Audits and risk management | Preventive | |
| Include operational metrics in the disclosure report. CC ID 15939 | Audits and risk management | Preventive | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Audits and risk management | Preventive | |
| Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618 | Audits and risk management | Preventive | |
| Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606 | Audits and risk management | Preventive | |
| Include the total number of operations performed by the organization in the disclosure report. CC ID 15831 | Audits and risk management | Preventive | |
| Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933 | Audits and risk management | Preventive | |
| Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557 | Audits and risk management | Preventive | |
| Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729 | Audits and risk management | Preventive | |
| Include the number of content removal requests in the disclosure report. CC ID 15647 | Audits and risk management | Preventive | |
| Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640 | Audits and risk management | Preventive | |
| Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542 | Audits and risk management | Preventive | |
| Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543 | Audits and risk management | Preventive | |
| Include third party management metrics in the disclosure report. CC ID 15923 | Audits and risk management | Preventive | |
| Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837 | Audits and risk management | Preventive | |
| Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937 | Audits and risk management | Preventive | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884 | Audits and risk management | Preventive | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883 | Audits and risk management | Preventive | |
| Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886 | Audits and risk management | Preventive | |
| Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885 | Audits and risk management | Preventive | |
| Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887 | Audits and risk management | Preventive | |
| Include metrics on supplier social assessments in the disclosure report. CC ID 15938 | Audits and risk management | Preventive | |
| Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808 | Audits and risk management | Preventive | |
| Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807 | Audits and risk management | Preventive | |
| Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806 | Audits and risk management | Preventive | |
| Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805 | Audits and risk management | Preventive | |
| Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810 | Audits and risk management | Preventive | |
| Include customer health and safety management metrics in the disclosure report. CC ID 15922 | Audits and risk management | Preventive | |
| Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814 | Audits and risk management | Preventive | |
| Include energy management metrics in the disclosure report. CC ID 15920 | Audits and risk management | Preventive | |
| Include the total energy reduction in the disclosure report. CC ID 15749 | Audits and risk management | Preventive | |
| Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751 | Audits and risk management | Preventive | |
| Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750 | Audits and risk management | Preventive | |
| Include the total heating sold in the disclosure report. CC ID 15739 | Audits and risk management | Preventive | |
| Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746 | Audits and risk management | Preventive | |
| Include the total electricity sold in the disclosure report. CC ID 15740 | Audits and risk management | Preventive | |
| Include the total energy consumption in the disclosure report. CC ID 15506 | Audits and risk management | Preventive | |
| Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744 | Audits and risk management | Preventive | |
| Include the total heating consumption in the disclosure report. CC ID 15743 | Audits and risk management | Preventive | |
| Include the total cooling sold in the disclosure report. CC ID 15738 | Audits and risk management | Preventive | |
| Include the total cooling consumption in the disclosure report. CC ID 15742 | Audits and risk management | Preventive | |
| Include the total steam sold in the disclosure report. CC ID 15737 | Audits and risk management | Preventive | |
| Include the total steam consumption in the disclosure report. CC ID 15741 | Audits and risk management | Preventive | |
| Include the fuel types used in the disclosure report. CC ID 15745 | Audits and risk management | Preventive | |
| Include materials management metrics in the disclosure report. CC ID 15919 | Audits and risk management | Preventive | |
| Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791 | Audits and risk management | Preventive | |
| Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562 | Audits and risk management | Preventive | |
| Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792 | Audits and risk management | Preventive | |
| Include occupational health and safety management metrics in the disclosure report. CC ID 15918 | Audits and risk management | Preventive | |
| Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891 | Audits and risk management | Preventive | |
| Include the total number of work-related injuries in the disclosure report. CC ID 15899 | Audits and risk management | Preventive | |
| Include the number of cases of work-related ill health in the disclosure report. CC ID 15914 | Audits and risk management | Preventive | |
| Include outsourcing arrangements in the disclosure report. CC ID 15621 | Audits and risk management | Preventive | |
| Include business operations outsourced to third parties in the disclosure report. CC ID 15616 | Audits and risk management | Preventive | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Audits and risk management | Preventive | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Audits and risk management | Preventive | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Audits and risk management | Preventive | |
| Include the content removal policy in the disclosure report. CC ID 15650 | Audits and risk management | Preventive | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 | Audits and risk management | Preventive | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 | Audits and risk management | Preventive | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 | Audits and risk management | Preventive | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 | Audits and risk management | Preventive | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Audits and risk management | Preventive | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Audits and risk management | Preventive | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Audits and risk management | Preventive | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Audits and risk management | Preventive | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Audits and risk management | Preventive | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 | Audits and risk management | Preventive | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Audits and risk management | Preventive | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 | Audits and risk management | Preventive | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 | Audits and risk management | Preventive | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 | Audits and risk management | Preventive | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Audits and risk management | Preventive | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Audits and risk management | Preventive | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Audits and risk management | Preventive | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Audits and risk management | Preventive | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Audits and risk management | Preventive | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Audits and risk management | Preventive | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Audits and risk management | Preventive | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Audits and risk management | Preventive | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Audits and risk management | Preventive | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Audits and risk management | Preventive | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Audits and risk management | Preventive | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Audits and risk management | Preventive | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Audits and risk management | Preventive | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Audits and risk management | Preventive | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Audits and risk management | Preventive | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Audits and risk management | Preventive | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Audits and risk management | Preventive | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Audits and risk management | Preventive | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Audits and risk management | Preventive | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Audits and risk management | Preventive | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Audits and risk management | Preventive | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Audits and risk management | Preventive | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Audits and risk management | Preventive | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Audits and risk management | Preventive | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Audits and risk management | Preventive | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Audits and risk management | Preventive | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Audits and risk management | Preventive | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Audits and risk management | Preventive | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Audits and risk management | Preventive | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Audits and risk management | Preventive | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Audits and risk management | Preventive | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Audits and risk management | Preventive | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Audits and risk management | Preventive | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Audits and risk management | Preventive | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Audits and risk management | Preventive | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Audits and risk management | Preventive | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Audits and risk management | Preventive | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Audits and risk management | Preventive | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Audits and risk management | Preventive | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Audits and risk management | Preventive | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Audits and risk management | Preventive | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 | Audits and risk management | Preventive | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 | Audits and risk management | Preventive | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 | Audits and risk management | Preventive | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 | Audits and risk management | Preventive | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 | Audits and risk management | Preventive | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 | Audits and risk management | Preventive | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 | Audits and risk management | Preventive | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Audits and risk management | Preventive | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Audits and risk management | Preventive | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Audits and risk management | Preventive | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Audits and risk management | Preventive | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Audits and risk management | Preventive | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Audits and risk management | Preventive | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Audits and risk management | Preventive | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Audits and risk management | Preventive | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Audits and risk management | Preventive | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Audits and risk management | Preventive | |
| Include the employee representation program in the disclosure report. CC ID 15628 | Audits and risk management | Preventive | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Audits and risk management | Preventive | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Audits and risk management | Preventive | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Audits and risk management | Preventive | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Audits and risk management | Preventive | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Audits and risk management | Preventive | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Audits and risk management | Preventive | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Audits and risk management | Preventive | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Audits and risk management | Preventive | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Audits and risk management | Preventive | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Audits and risk management | Preventive | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Audits and risk management | Preventive | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Audits and risk management | Preventive | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Audits and risk management | Preventive | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Audits and risk management | Preventive | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Audits and risk management | Preventive | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Audits and risk management | Preventive | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Audits and risk management | Preventive | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Audits and risk management | Preventive | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Audits and risk management | Preventive | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Audits and risk management | Preventive | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Audits and risk management | Preventive | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Audits and risk management | Preventive | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Audits and risk management | Preventive | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Audits and risk management | Preventive | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 | Audits and risk management | Preventive | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Audits and risk management | Preventive | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Audits and risk management | Preventive | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Audits and risk management | Preventive | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Audits and risk management | Preventive | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Audits and risk management | Preventive | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Audits and risk management | Preventive | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Audits and risk management | Preventive | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Audits and risk management | Preventive | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Audits and risk management | Preventive | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Audits and risk management | Preventive | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Audits and risk management | Preventive | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Audits and risk management | Preventive | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)] | Audits and risk management | Preventive | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Audits and risk management | Preventive | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Audits and risk management | Preventive | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Audits and risk management | Preventive | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Audits and risk management | Preventive | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Audits and risk management | Preventive | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Audits and risk management | Preventive | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Audits and risk management | Preventive | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Audits and risk management | Preventive | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Audits and risk management | Preventive | |
| Include the material of spills in the disclosure report. CC ID 15968 | Audits and risk management | Preventive | |
| Include the location of spills in the disclosure report. CC ID 15964 | Audits and risk management | Preventive | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Audits and risk management | Preventive | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Audits and risk management | Preventive | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Audits and risk management | Preventive | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Audits and risk management | Preventive | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Audits and risk management | Preventive | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Audits and risk management | Preventive | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 | Audits and risk management | Preventive | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 | Audits and risk management | Preventive | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Audits and risk management | Preventive | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Audits and risk management | Preventive | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Audits and risk management | Preventive | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Audits and risk management | Preventive | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Audits and risk management | Preventive | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Audits and risk management | Preventive | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Audits and risk management | Preventive | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Audits and risk management | Preventive | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Audits and risk management | Preventive | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Audits and risk management | Preventive | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Audits and risk management | Preventive | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Audits and risk management | Preventive | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Audits and risk management | Preventive | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Audits and risk management | Preventive | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Audits and risk management | Preventive | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Audits and risk management | Preventive | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Audits and risk management | Preventive | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Audits and risk management | Preventive | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Audits and risk management | Preventive | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Audits and risk management | Preventive | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Audits and risk management | Preventive | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Audits and risk management | Preventive | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Audits and risk management | Preventive | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Audits and risk management | Preventive | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Audits and risk management | Preventive | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 | Audits and risk management | Preventive | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 | Audits and risk management | Preventive | |
| Include trends in incident type in the disclosure report. CC ID 15510 | Audits and risk management | Preventive | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Audits and risk management | Preventive | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Audits and risk management | Preventive | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Audits and risk management | Preventive | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Audits and risk management | Preventive | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Audits and risk management | Preventive | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Audits and risk management | Preventive | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Audits and risk management | Preventive | |
| Include water quality standards in the disclosure report. CC ID 15756 | Audits and risk management | Preventive | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Audits and risk management | Preventive | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 | Audits and risk management | Preventive | |
| Include recycling in the disclosure report. CC ID 15579 | Audits and risk management | Preventive | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Audits and risk management | Preventive | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Audits and risk management | Preventive | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Audits and risk management | Preventive | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Audits and risk management | Preventive | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Audits and risk management | Preventive | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Audits and risk management | Preventive | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Audits and risk management | Preventive | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 | Audits and risk management | Preventive | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 | Audits and risk management | Preventive | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Audits and risk management | Preventive | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Audits and risk management | Preventive | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Audits and risk management | Preventive | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Audits and risk management | Preventive | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 | Audits and risk management | Preventive | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 | Audits and risk management | Preventive | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 | Audits and risk management | Preventive | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Audits and risk management | Preventive | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Audits and risk management | Preventive | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Audits and risk management | Preventive | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 | Audits and risk management | Preventive | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Audits and risk management | Preventive | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 | Audits and risk management | Preventive | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Audits and risk management | Preventive | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Audits and risk management | Preventive | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 | Audits and risk management | Preventive | |
| Include the organization's name in the disclosure report. CC ID 15668 | Audits and risk management | Preventive | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Audits and risk management | Preventive | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 | Audits and risk management | Preventive | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 | Audits and risk management | Preventive | |
| Include a list of material topics in the disclosure report. CC ID 15656 | Audits and risk management | Preventive | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 | Audits and risk management | Preventive | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Audits and risk management | Preventive | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 | Audits and risk management | Preventive | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Audits and risk management | Preventive | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Audits and risk management | Preventive | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 | Audits and risk management | Preventive | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 | Audits and risk management | Preventive | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 | Audits and risk management | Preventive | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Audits and risk management | Preventive | |
| Include the impact duration in the disclosure report. CC ID 16036 | Audits and risk management | Preventive | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Audits and risk management | Preventive | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 | Audits and risk management | Preventive | |
| Refrain from including the same data in other required disclosures, as necessary. CC ID 15732 | Audits and risk management | Preventive | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Audits and risk management | Preventive | |
| Include risks to the achievement of goals and targets in the disclosure report. CC ID 16166 | Audits and risk management | Preventive | |
| Include the timelines for achieving goals and targets in the disclosure report. CC ID 16164 | Audits and risk management | Preventive | |
| Include the mechanisms for achieving goals and targets in the disclosure report. CC ID 16144 | Audits and risk management | Preventive | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 | Audits and risk management | Preventive | |
| Include a justification for disclosures that do not reconcile with data reported in other required disclosures in the disclosure report. CC ID 16053 | Audits and risk management | Preventive | |
| Include historical information and future-oriented information in the disclosure report. CC ID 16336 | Audits and risk management | Preventive | |
| Include preventive actions in the disclosure report. CC ID 15796 | Audits and risk management | Preventive | |
| Include the methodology for reporting future-oriented information in the disclosure report. CC ID 16335 | Audits and risk management | Preventive | |
| Include the reporting period in the disclosure report. CC ID 15661 | Audits and risk management | Preventive | |
| Include restatements of information from previous reporting periods and an explanation for their use in the disclosure report. CC ID 15827 | Audits and risk management | Preventive | |
| Include roles and responsibilities in the disclosure report. CC ID 15846 | Audits and risk management | Preventive | |
| Include the organization's location in the disclosure report. CC ID 16311 | Audits and risk management | Preventive | |
| Include how conflicts of interest in roles are handled in the disclosure report. CC ID 15848 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement concerning the audit firm's independence practices which also confirms that an internal review of independence compliance has been conducted; Article 40 1.(g)] | Audits and risk management | Preventive | |
| Include the reporting structure in the disclosure report. CC ID 15845 | Audits and risk management | Preventive | |
| Include a description of whistleblowing mechanisms in the disclosure report. CC ID 16027 | Audits and risk management | Preventive | |
| Include the differences between the list of entities in financial reporting and in sustainability reporting in the disclosure report. CC ID 15874 | Audits and risk management | Preventive | |
| Include the governance structure in the disclosure report. CC ID 15840 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)] | Audits and risk management | Preventive | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Audits and risk management | Preventive | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Audits and risk management | Preventive | |
| Include a description of significant fluctuations in the total number of contractors and outsource partners in the disclosure report. CC ID 15839 | Audits and risk management | Preventive | |
| Include a description of contractual relationships in the disclosure report. CC ID 15838 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: where the audit firm belongs to a network, a description of the network and the legal and structural arrangements in the network; Article 40 1.(b) Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a list of public-interest entities for which the audit firm has carried out statutory audits during the preceding financial year; Article 40 1.(f)] | Audits and risk management | Preventive | |
| Include a description of significant fluctuations in the total number of employees in the disclosure report. CC ID 15836 | Audits and risk management | Preventive | |
| Include research findings based on previous and current research methodologies in the disclosure report. CC ID 15630 | Audits and risk management | Preventive | |
| Include the methodology used to report numbers in the disclosure report. CC ID 15841 | Audits and risk management | Preventive | |
| Include definitions of terms in the disclosure report. CC ID 15832 | Audits and risk management | Preventive | |
| Include a description of third party relationships in the disclosure report. CC ID 15830 | Audits and risk management | Preventive | |
| Include the type of work performed by contractors and outsource partners in the disclosure report. CC ID 15842 | Audits and risk management | Preventive | |
| Include any changes made to information in restatements in the disclosure report. CC ID 15829 | Audits and risk management | Preventive | |
| Include the criteria for determining when to use restatements in the disclosure report. CC ID 15828 | Audits and risk management | Preventive | |
| Include points of contact in the disclosure report. CC ID 15826 | Audits and risk management | Preventive | |
| Include the reason that reporting periods for different reports do not align in the disclosure report. CC ID 15825 | Audits and risk management | Preventive | |
| Include a description of how information is consolidated in the disclosure report. CC ID 15824 | Audits and risk management | Preventive | |
| Include the legal form of organization in the disclosure report. CC ID 15823 | Audits and risk management | Preventive | |
| Include the ownership structure in the disclosure report. CC ID 15822 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)] | Audits and risk management | Preventive | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Audits and risk management | Preventive | |
| Include the processes used to collect and monitor in scope information in the disclosure report. CC ID 15779 | Audits and risk management | Preventive | |
| Refrain from including out of scope information in the disclosure report. CC ID 15793 | Audits and risk management | Preventive | |
| Include the processes used to assess third party compliance in the disclosure report. CC ID 15773 | Audits and risk management | Preventive | |
| Include the calculation methodology in the disclosure report. CC ID 15733 | Audits and risk management | Preventive | |
| Include the rationale for choosing the calculation methodology in the disclosure report. CC ID 15734 | Audits and risk management | Preventive | |
| Include the effects of changes to calculation methodologies in the disclosure report. CC ID 16344 | Audits and risk management | Preventive | |
| Include the source of conversion factors in the disclosure report. CC ID 15747 | Audits and risk management | Preventive | |
| Include known limitations in the disclosure report. CC ID 15669 | Audits and risk management | Preventive | |
| Include the lessons learned in the disclosure report. CC ID 15689 | Audits and risk management | Preventive | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 | Audits and risk management | Preventive | |
| Include whether training requirements apply to third parties in the disclosure report. CC ID 15727 | Audits and risk management | Preventive | |
| Include a link to the content index in the disclosure report. CC ID 15666 | Audits and risk management | Preventive | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 | Audits and risk management | Preventive | |
| Include supplemental disclosures in the disclosure report. CC ID 15629 | Audits and risk management | Preventive | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Preventive | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 [Paragraph 2 shall not prevent competent authorities from exchanging confidential information. Information thus exchanged shall be covered by the obligation of professional secrecy, to which persons employed or formerly employed by competent authorities are subject. Article 36 3.] | Technical security | Preventive | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Technical security | Preventive | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Technical security | Preventive | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 [Paragraph 2 shall not prevent competent authorities from exchanging confidential information. Information thus exchanged shall be covered by the obligation of professional secrecy, to which persons employed or formerly employed by competent authorities are subject. Article 36 3.] | Technical security | Preventive | |
| Include communication requirements in the information exchange procedures. CC ID 17026 | Technical security | Preventive | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Technical security | Preventive | |
| Include contact information in the information exchange procedures. CC ID 17307 | Technical security | Preventive | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Technical security | Preventive | |
| Include security controls in the information exchange procedures. CC ID 17021 | Technical security | Preventive | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Technical security | Preventive | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Technical security | Preventive | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Technical security | Preventive | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Preventive | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Preventive | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Preventive | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Preventive | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Preventive | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Preventive | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Preventive | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Preventive | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Preventive | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Preventive | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Preventive | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Preventive | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Preventive | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Preventive | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Preventive | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Preventive | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Preventive | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Preventive | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Preventive | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e) The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.] | Human Resources management | Preventive | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Preventive | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Preventive | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Preventive | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Preventive | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Preventive | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
| Include contact details in the registration database. CC ID 15109 [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3. As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d) As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g) As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)] | Operational management | Preventive | |
| Include personal data in the registration database, as necessary. CC ID 15108 | Operational management | Preventive | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1] | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)] | Privacy protection for information and data | Preventive | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Preventive | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Preventive | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Preventive | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Preventive | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Preventive | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Preventive | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Preventive | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Preventive | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Preventive | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2 The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1] | Privacy protection for information and data | Preventive | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
| Structure the language of compliance documents. CC ID 06098 | Harmonization Methods and Manual of Style | Preventive | |
| Standardize word usage. CC ID 06104 | Harmonization Methods and Manual of Style | Preventive | |
| Write policies and instructions using clear and conspicuous language. CC ID 16286 [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Harmonization Methods and Manual of Style | Preventive | |
Human Resources Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Define the qualification requirements for auditors. CC ID 17259 [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a) Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3. The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d) {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1 Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1 A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a) A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b) The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1 In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1. Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2. Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.] | Audits and risk management | Preventive | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Preventive | |
| Define and assign audit committees, as necessary. CC ID 14788 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1 Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources management | Preventive | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources management | Preventive | |
| Support certification programs as viable training programs. CC ID 13268 [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.] | Human Resources management | Preventive | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Preventive | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Preventive | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Preventive | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1. The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Human Resources management | Preventive | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources management | Preventive | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Preventive | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
Investigate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Detective | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Detective | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Preventive | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Detective | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Log Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Preventive | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Preventive | |
| Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Detective | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
| Enforce information flow control. CC ID 11781 | Technical security | Preventive | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Human Resources management | Preventive | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Preventive | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Preventive | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain an oversight team. CC ID 17303 | Leadership and high level objectives | Preventive | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Preventive | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Preventive | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Detective | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Preventive | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Preventive | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Detective | |
| Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Detective | |
| Mitigate the threats to an auditor's independence. CC ID 17282 [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1 In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and risk management | Preventive | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Audits and risk management | Preventive | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
| Provide support for information sharing activities. CC ID 15644 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Operational management | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Privacy protection for information and data | Preventive | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Preventive | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Preventive | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Preventive | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Preventive | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Preventive | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Preventive | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Preventive | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Corrective | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Preventive | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Preventive | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Privacy protection for information and data | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include an issue tracking system in the Quality Management program. CC ID 06824 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)] | Leadership and high level objectives | Preventive | |
Technical Security | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Preventive | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Preventive | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Preventive | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Preventive | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Preventive | |
| Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Detective | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.] | Audits and risk management | Detective | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Detective | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Detective | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
| Submit an audit report that is complete. CC ID 01145 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Detective | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Detective | |
| Test the information exchange procedures. CC ID 17115 | Technical security | Preventive | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d) The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.] | Human Resources management | Detective | |
| Conduct tests and evaluate training. CC ID 06672 [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.] | Human Resources management | Detective | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
Training | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Preventive | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Preventive | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Preventive | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Detective | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Preventive | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Preventive | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Detective | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Preventive | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Preventive | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Preventive | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Preventive | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Preventive | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Preventive | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Preventive | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Preventive | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Preventive | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Preventive | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Preventive | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Preventive | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Preventive | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Preventive | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Preventive | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Preventive | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Preventive | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1 If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive. Article 30 2. {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Monitoring and measurement | Behavior | |
| Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
| Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
| Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
| Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
| Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
| Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
| Respond to ethics complaints of ethics violations. CC ID 11497 | Human Resources management | Business Processes | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 [If the requested competent authority is not able to supply the required information without undue delay, it shall notify the requesting competent authority of the reasons therefor. Article 36 4. ¶ 2] | Privacy protection for information and data | Communicate | |
| Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812 | Privacy protection for information and data | Records Management | |
| Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990 | Privacy protection for information and data | Communicate | |
| Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 | Privacy protection for information and data | Communicate | |
| Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Enforce a continuous Quality Control system. CC ID 01005 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: quality assurance reviews shall take place at least every six years; Article 29 1.(h) The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Leadership and high level objectives | Business Processes | |
| Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 | Leadership and high level objectives | Investigate | |
| Verify all required information is attached to each funds transfer. CC ID 16755 | Leadership and high level objectives | Business Processes | |
| Analyze the effectiveness of the stress test plan. CC ID 16657 | Leadership and high level objectives | Process or Activity | |
| Validate the margin system on a regular basis. CC ID 16660 | Leadership and high level objectives | Testing | |
| Assess the properties of the margin model used in the margin system. CC ID 16658 | Leadership and high level objectives | Process or Activity | |
| Monitor the performance of the margin system. CC ID 16655 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Analyze the performance of the margin system. CC ID 16654 | Leadership and high level objectives | Process or Activity | |
| Determine the amount of assets to be held in escrow. CC ID 16575 | Leadership and high level objectives | Investigate | |
| Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
| Report audit findings to interested personnel and affected parties. CC ID 01152 [The statutory auditor or audit firm shall report to the audit committee on key matters arising from the statutory audit, and in particular on material weaknesses in internal control in relation to the financial reporting process. Article 41 4.] | Audits and risk management | Testing | |
| Determine if requested services create a threat to independence. CC ID 16823 [Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: review and monitor the independence of the statutory auditor or audit firm, and in particular the provision of additional services to the audited entity. Article 41 2.(d)] | Audits and risk management | Audits and Risk Management | |
| Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
| Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
| Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from performing an attestation engagement under defined conditions. CC ID 13952 [Member States shall in addition ensure that, where statutory audits of public-interest entities are concerned and where appropriate to safeguard the statutory auditor's or audit firm's independence, a statutory auditor or an audit firm shall not carry out a statutory audit in cases of self-review or self-interest. Article 22 2. ¶ 2 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1] | Audits and risk management | Audits and Risk Management | |
| Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
| Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
| Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
| Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
| Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
| Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
| Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 | Audits and risk management | Testing | |
| Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
| Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
| Determine the effectiveness of in scope controls. CC ID 06984 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Testing | |
| Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Audits and Risk Management | |
| Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
| Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
| Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
| Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
| Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
| Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
| Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
| Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
| Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
| Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
| Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
| Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
| Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
| Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
| Review past audit reports. CC ID 01155 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b)] | Audits and risk management | Establish/Maintain Documentation | |
| Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
| Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
| Submit an audit report that is complete. CC ID 01145 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Testing | |
| Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
| Determine the effectiveness of risk control measures. CC ID 06601 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the effectiveness of the company's internal control, internal audit where applicable, and risk management systems; Article 41 2.(b)] | Audits and risk management | Testing | |
| Include the percentage of individuals in each gender category in the disclosure report. CC ID 15952 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total amount of corporate income tax accrued on profit/loss in the disclosure report. CC ID 16107 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of subsidies received from the government in the disclosure report. CC ID 16101 | Audits and risk management | Actionable Reports or Measurements | |
| Include revenues in the disclosure report. CC ID 16099 | Audits and risk management | Actionable Reports or Measurements | |
| Include the economic value distributed in the disclosure report. CC ID 16086 | Audits and risk management | Actionable Reports or Measurements | |
| Include total monetary value of payments to capital providers in the disclosure report. CC ID 16092 | Audits and risk management | Actionable Reports or Measurements | |
| Include total monetary value of payments to governments in the disclosure report. CC ID 16091 | Audits and risk management | Actionable Reports or Measurements | |
| Include total monetary value of employee wages and benefits in the disclosure report. CC ID 16090 | Audits and risk management | Actionable Reports or Measurements | |
| Include total monetary value of community investments in the disclosure report. CC ID 16089 | Audits and risk management | Actionable Reports or Measurements | |
| Include operating costs in the disclosure report. CC ID 16088 | Audits and risk management | Actionable Reports or Measurements | |
| Include economic value retained in the disclosure report. CC ID 16094 | Audits and risk management | Actionable Reports or Measurements | |
| Include the direct economic value generated and distributed in the disclosure report. CC ID 16085 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of financial assistance received from the government in the disclosure report. CC ID 16087 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of awards received from the government in the disclosure report. CC ID 16106 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of financial incentives received from the government in the disclosure report. CC ID 16105 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of tax relief and tax credits received from the government in the disclosure report. CC ID 16102 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of grants received from the government in the disclosure report. CC ID 16100 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of royalty holidays received from the government in the disclosure report. CC ID 16097 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of financial assistance received from Export Credit Agencies in the disclosure report. CC ID 16095 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total amount of corporate income tax paid on a cash basis in the disclosure report. CC ID 16050 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of tangible assets other than cash and cash equivalents in the disclosure report. CC ID 16048 | Audits and risk management | Actionable Reports or Measurements | |
| Include revenues from intragroup transactions with other tax jurisdictions in the disclosure report. CC ID 16046 | Audits and risk management | Actionable Reports or Measurements | |
| Include revenues from third party sales in the disclosure report. CC ID 16045 | Audits and risk management | Actionable Reports or Measurements | |
| Include the profit and loss before tax in the disclosure report. CC ID 16044 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16073 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16072 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16071 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of incidents where contracts with business partners were terminated due to corruption in the disclosure report. CC ID 16070 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of interested personnel and affected parties that have received training on anti-corruption in the disclosure report. CC ID 16069 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of incidents in which employees were dismissed or disciplined for corruption in the disclosure report. CC ID 16068 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of incidents of corruption in the disclosure report. CC ID 16066 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of operations assessed for risks related to corruption in the disclosure report. CC ID 16063 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of operations assessed for risks related to corruption in the disclosure report. CC ID 16062 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16038 | Audits and risk management | Actionable Reports or Measurements | |
| Include the size of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16032 | Audits and risk management | Actionable Reports or Measurements | |
| Include the size of habitat areas protected or restored by the organization in the disclosure report. CC ID 16023 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of the procurement budget spent on local suppliers in the disclosure report. CC ID 16022 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross energy indirect greenhouse gas emissions in the disclosure report. CC ID 16340 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total exports of ozone-depleting substances in the disclosure report. CC ID 16083 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total imports of ozone-depleting substances in the disclosure report. CC ID 16081 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total production of ozone-depleting substances in the disclosure report. CC ID 16079 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross other indirect greenhouse gas emissions in the disclosure report. CC ID 16013 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross direct greenhouse gas emissions in the disclosure report.. CC ID 16009 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross direct greenhouse gas emissions from perfluorinated compounds in the disclosure report. CC ID 16146 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross market-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16008 | Audits and risk management | Actionable Reports or Measurements | |
| Include biogenic carbon dioxide emissions in the disclosure report. CC ID 16007 | Audits and risk management | Actionable Reports or Measurements | |
| Include gross location-based energy indirect greenhouse gas emissions in the disclosure report. CC ID 16006 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total amount of significant air emissions in the disclosure report. CC ID 16005 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of nitrogen oxides in the disclosure report. CC ID 16084 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of sulfur oxides in the disclosure report. CC ID 16082 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of volatile organic compounds in the disclosure report. CC ID 16080 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of persistent organic pollutants in the disclosure report. CC ID 16078 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of particulate matter in the disclosure report. CC ID 16077 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total emissions of hazardous air pollutants in the disclosure report. CC ID 16076 | Audits and risk management | Actionable Reports or Measurements | |
| Include the greenhouse gas emissions intensity ratio in the disclosure report. CC ID 16004 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total amount of reductions in greenhouse gas emissions in the disclosure report. CC ID 15999 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of legal actions against the organization in the disclosure report. CC ID 16003 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of fines for instances of non-compliance in the disclosure report. CC ID 15950 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total weight of hazardous waste generated from manufacturing operations in the disclosure report. CC ID 16163 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total volume of significant spills in the disclosure report. CC ID 16010 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of significant spills in the disclosure report. CC ID 15965 | Audits and risk management | Actionable Reports or Measurements | |
| Include the performance qualification score of laptops in the disclosure report. CC ID 16176 | Audits and risk management | Actionable Reports or Measurements | |
| Include the battery life score of laptops in the disclosure report. CC ID 16175 | Audits and risk management | Actionable Reports or Measurements | |
| Include the energy efficiency of laptop computer processors in the disclosure report. CC ID 16174 | Audits and risk management | Actionable Reports or Measurements | |
| Include the energy efficiency of desktop computer processors in the disclosure report. CC ID 16172 | Audits and risk management | Actionable Reports or Measurements | |
| Include the energy efficiency of server processors in the disclosure report. CC ID 16170 | Audits and risk management | Actionable Reports or Measurements | |
| Include the overall ssj_ops/watt of servers in the disclosure report. CC ID 16162 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of products sold that contain declarable substances in the disclosure report. CC ID 16159 | Audits and risk management | Actionable Reports or Measurements | |
| Include the SPECspeed2017_int_base score/watt of desktop computers in the disclosure report. CC ID 16160 | Audits and risk management | Actionable Reports or Measurements | |
| Include the SPECspeed2017_fp_basescore/watt of desktop computers in the disclosure report. CC ID 16157 | Audits and risk management | Actionable Reports or Measurements | |
| Include the average actual sustained download speed in the disclosure report. CC ID 15568 | Audits and risk management | Actionable Reports or Measurements | |
| Include the average advertised download speed in the disclosure report. CC ID 15567 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of water withdrawn from locations with significant baseline water stress in the disclosure report. CC ID 15949 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of water consumed from locations with significant baseline water stress in the disclosure report. CC ID 15948 | Audits and risk management | Actionable Reports or Measurements | |
| Include the near miss frequency rate for work-related near misses in the disclosure report. CC ID 16228 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of days idle as a result of work stoppages in the disclosure report. CC ID 16217 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total monetary value of benefit plan liabilities in the disclosure report. CC ID 16108 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of an employee's salary contributed to benefit plans by employee or employer in the disclosure report. CC ID 16103 | Audits and risk management | Actionable Reports or Measurements | |
| Include the ratio of entry level wages to the minimum wage in the disclosure report. CC ID 16002 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of senior management hired from the local community in the disclosure report. CC ID 16001 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of employees covered by collective bargaining agreements in the disclosure report. CC ID 15931 | Audits and risk management | Actionable Reports or Measurements | |
| Include the rate of new employee hires in the disclosure report. CC ID 15928 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of employees who left the organization in the disclosure report. CC ID 16127 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of work stoppages involving one thousand or more workers in the disclosure report. CC ID 16214 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of employees that were entitled to parental leave in the disclosure report. CC ID 15960 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of employees that took parental leave in the disclosure report. CC ID 15955 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of employees that returned to work in the reporting period after parental leave ended in the disclosure report. CC ID 15946 | Audits and risk management | Actionable Reports or Measurements | |
| Include the return to work rate of employees that took parental leave in the disclosure report. CC ID 15958 | Audits and risk management | Actionable Reports or Measurements | |
| Include the retention rate of employees that took parental leave in the disclosure report. CC ID 15962 | Audits and risk management | Actionable Reports or Measurements | |
| Include the user average interruption duration in the disclosure report. CC ID 15558 | Audits and risk management | Actionable Reports or Measurements | |
| Include the system average interruption frequency in the disclosure report. CC ID 15565 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of unique individuals whose information was requested by a third party in the disclosure report. CC ID 15500 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of information requests that resulted in disclosure in the disclosure report. CC ID 15560 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of unique individuals affected by data breaches in the disclosure report. CC ID 15951 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of Tier 1 suppliers' manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16216 | Audits and risk management | Actionable Reports or Measurements | |
| Include the power usage effectiveness in the disclosure report. CC ID 15552 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of energy consumed that is renewable energy in the disclosure report. CC ID 15549 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of energy consumed that was supplied by grid electricity in the disclosure report. CC ID 15541 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of recovered materials that were reused in the disclosure report. CC ID 15563 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of recovered materials that were recycled or remanufactured in the disclosure report. CC ID 15574 | Audits and risk management | Actionable Reports or Measurements | |
| Include the weight of recovered materials in the disclosure report. CC ID 16203 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of recovered materials that were landfilled in the disclosure report. CC ID 15578 | Audits and risk management | Actionable Reports or Measurements | |
| Include the rate of work-related injuries in the disclosure report. CC ID 15944 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15943 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of manufacturing facilities audited in compliance with the Responsible Business Alliance Validated Audit Process protocol in the disclosure report. CC ID 16207 | Audits and risk management | Actionable Reports or Measurements | |
| Include the rate of fatalities as a result of work-related injuries in the disclosure report. CC ID 15954 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of fatalities as a result of work-related ill health in the disclosure report. CC ID 15942 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total number of fatalities as a result of work-related injuries in the disclosure report. CC ID 15953 | Audits and risk management | Actionable Reports or Measurements | |
| Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; Article 29 1.(d) The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3.] | Human Resources management | Testing | |
| Conduct tests and evaluate training. CC ID 06672 [Member States shall ensure that all training is carried out with persons providing adequate guarantees regarding their ability to provide practical training. Article 10 2.] | Human Resources management | Testing | |
| Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 | Human Resources management | Training | |
| Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 | Human Resources management | Training | |
| Grant registration after competence and integrity is verified. CC ID 16802 [Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1 {public register} In all cases, the Member State concerned shall ensure that the register indicates whether or not the translation is certified. Article 20 2. ¶ 2] | Operational management | Behavior | |
| Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422 | Privacy protection for information and data | Behavior | |
| Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423 | Privacy protection for information and data | Behavior | |
| Analyze requirements for processing personal data in contracts. CC ID 12550 | Privacy protection for information and data | Investigate | |
| Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
| Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
| Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
| Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
| Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
| Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
| Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
| Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
| Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
| Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
| Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
| Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
| Technical security CC ID 00508 | Technical security | IT Impact Zone | |
| Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
| Harmonization Methods and Manual of Style CC ID 06095 | Harmonization Methods and Manual of Style | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish, implement, and maintain a reporting methodology program. CC ID 02072 | Leadership and high level objectives | Business Processes | |
| Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Leadership and high level objectives | Actionable Reports or Measurements | |
| Establish, implement, and maintain an external reporting program. CC ID 12876 | Leadership and high level objectives | Communicate | |
| Include reporting to governing bodies in the external reporting plan. CC ID 12923 [Where the approval of a statutory auditor or of an audit firm is withdrawn for any reason, the competent authority of the Member State where the approval is withdrawn shall communicate that fact and the reasons for the withdrawal to the relevant competent authorities of Member States where the statutory auditor or audit firm is also approved which are entered in the first-named Member State's register in accordance with Article 16(1), point (c). Article 5 3.] | Leadership and high level objectives | Communicate | |
| Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 | Leadership and high level objectives | Communicate | |
| Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the information that was omitted in the confidential treatment application. CC ID 16593 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Request extensions for submissions to governing bodies, as necessary. CC ID 16955 | Leadership and high level objectives | Process or Activity | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: Article 29 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Communicate | |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight as provided for in Chapter VIII; Article 29 1.(a) {investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include resource management in the quality management system. CC ID 15026 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance system shall have adequate resources; Article 29 1.(c) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; Article 29 1.(g)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period. Article 29 1.(j)] | Leadership and high level objectives | Systems Design, Build, and Implementation | |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 [{third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate compliance exceptions to interested personnel and affected parties. CC ID 16945 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a public oversight system. CC ID 17284 [Member States shall organise an effective system of public oversight for statutory auditors and audit firms based on the principles set out in paragraphs 2 to 7. Article 32 1. All statutory auditors and audit firms shall be subject to public oversight. Article 32 2. The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain an oversight plan. CC ID 17302 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the oversight plan to interested personnel and affected parties. CC ID 17308 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain an oversight team. CC ID 17303 | Leadership and high level objectives | Process or Activity | |
| Include roles and responsibilities in the public oversight system. CC ID 17285 [The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. Member States may, however, allow a minority of practitioners to be involved in the governance of the public oversight system. Persons involved in the governance of the public oversight system shall be selected in accordance with an independent and transparent nomination procedure. Article 32 3. The system of public oversight shall have the ultimate responsibility for the oversight of: the approval and registration of statutory auditors and audit firms; Article 32 4.(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a financial management program. CC ID 13228 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; Article 29 1.(b) The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain funds transfer procedures. CC ID 16754 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 | Leadership and high level objectives | Communicate | |
| Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 | Leadership and high level objectives | Business Processes | |
| Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 | Leadership and high level objectives | Business Processes | |
| Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 | Leadership and high level objectives | Business Processes | |
| Attach the required information to each funds transfer. CC ID 16756 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 | Leadership and high level objectives | Business Processes | |
| Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 | Leadership and high level objectives | Testing | |
| Include communication protocols in the financial management program. CC ID 16763 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include ongoing monitoring in the financial management program. CC ID 16762 | Leadership and high level objectives | Process or Activity | |
| Employ tools to manage settlement and funding flows. CC ID 16743 | Leadership and high level objectives | Process or Activity | |
| Refrain from setting up anonymous financial accounts. CC ID 16721 | Leadership and high level objectives | Business Processes | |
| Identify and maintain positions in financial accounts. CC ID 16751 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 | Leadership and high level objectives | Process or Activity | |
| Establish, implement, and maintain financial resource management procedures. CC ID 16642 [The system of public oversight shall be adequately funded. The funding for the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 32 7.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the rationale for the amount of financial resources being held. CC ID 16688 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Supplement financial resources, as necessary. CC ID 16685 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain collateral procedures. CC ID 16653 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the use of appropriate models in the collateral procedures. CC ID 16687 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Define the collateral requirements in the collateral procedures. CC ID 16686 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Test the collateral requirements for appropriateness. CC ID 16681 | Leadership and high level objectives | Testing | |
| Limit the types of assets accepted as collateral. CC ID 16602 | Leadership and high level objectives | Business Processes | |
| Avoid the use of concentrated holdings of assets. CC ID 16651 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 | Leadership and high level objectives | Testing | |
| Include stress scenarios in the stress test plan. CC ID 16659 | Leadership and high level objectives | Testing | |
| Perform stress testing in accordance with the stress test plan. CC ID 16652 | Leadership and high level objectives | Testing | |
| Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 | Leadership and high level objectives | Communicate | |
| Identify and document the financial resources available for use. CC ID 16643 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain credit loss procedures. CC ID 16683 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the allocation of credit losses in the credit loss procedures. CC ID 16684 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a securities trading program. CC ID 16626 | Leadership and high level objectives | Business Processes | |
| Include fairness and equitability standards in the securities trading program. CC ID 16690 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include roles and responsibilities in the securities trading program. CC ID 16689 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a capital restoration plan. CC ID 16613 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include performance guarantees in the capital restoration plan. CC ID 16616 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include corrective actions taken in the capital restoration plan. CC ID 16612 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include required information in the capital restoration plan. CC ID 16609 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain valuation procedures. CC ID 16634 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include investment information in approval requests for investments. CC ID 16590 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain lending policies. CC ID 16608 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Align the lending policy with the organization's risk acceptance level. CC ID 16716 | Leadership and high level objectives | Process or Activity | |
| Include the requirements for risk assessments in the lending policy. CC ID 16730 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the requirements for feasibility studies in the lending policy. CC ID 16726 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include pricing structures in the lending policy. CC ID 16724 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring requirements in the lending policy. CC ID 16710 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan origination procedures in the lending policy. CC ID 16709 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan requirements in the lending policy. CC ID 16706 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include appraisals and evaluations in the lending policy. CC ID 16705 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include terms and conditions in the lending policy. CC ID 16695 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the scope and distribution of loans in the lending policy. CC ID 16693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include geographic areas in the lending policy. CC ID 16691 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include underwriting guidelines in the lending policy. CC ID 16619 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include credit review in the underwriting guidelines. CC ID 16765 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan-to-value ratio limits in the lending policy. CC ID 16618 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include documentation requirements in the lending policy. CC ID 16617 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the purpose of the loan in the loan documentation. CC ID 16747 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the source of repayment in the loan documentation. CC ID 16746 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include approval requirements in the lending policy. CC ID 16615 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include reporting requirements in the lending policy. CC ID 16614 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan portfolio diversification standards in the lending policy. CC ID 16611 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan administration procedures in the lending policy. CC ID 16610 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan participation agreements in the loan administration procedures. CC ID 16745 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include termination procedures in the loan participation agreement. CC ID 16753 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include servicing agreements in the loan administration procedures. CC ID 16744 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include claims processing in the loan administration procedures. CC ID 16742 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include forbearance management in the loan administration procedures. CC ID 16741 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include foreclosure management in the loan administration procedures. CC ID 16740 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include delinquency management in the loan administration procedures. CC ID 16739 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include customer due diligence in the loan administration procedures. CC ID 16736 | Leadership and high level objectives | Process or Activity | |
| Include the requirements for financial statements in the loan administration procedures. CC ID 16735 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan closing in the loan administration procedures. CC ID 16734 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include payoff statements in the loan administration procedures. CC ID 16733 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include payment processing in the loan administration procedures. CC ID 16732 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include loan reviews in the loan administration procedures. CC ID 16703 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include collections in the loan administration procedures. CC ID 16701 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include collateral inspections in the loan administration procedures. CC ID 16699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include disbursements in the loan administration procedures. CC ID 16697 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Review and approve lending policies. CC ID 16607 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain a dividend policy. CC ID 16569 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include compliance requirements in the dividend policy. CC ID 16570 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain margin systems. CC ID 16601 | Leadership and high level objectives | Business Processes | |
| Include valuation models in the margin system. CC ID 16663 | Leadership and high level objectives | Data and Information Management | |
| Include procedures for collecting price data in the margin system. CC ID 16662 | Leadership and high level objectives | Data and Information Management | |
| Include reliable sources for price data in the margin system. CC ID 16661 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain capital adequacy measures. CC ID 16568 | Leadership and high level objectives | Business Processes | |
| Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 | Leadership and high level objectives | Communicate | |
| Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 | Leadership and high level objectives | Data and Information Management | |
| Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 | Leadership and high level objectives | Data and Information Management | |
| Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 | Leadership and high level objectives | Data and Information Management | |
| Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 | Leadership and high level objectives | Data and Information Management | |
| Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 | Leadership and high level objectives | Data and Information Management | |
| Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 | Leadership and high level objectives | Data and Information Management | |
| Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 | Leadership and high level objectives | Data and Information Management | |
| Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 | Leadership and high level objectives | Data and Information Management | |
| Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 | Leadership and high level objectives | Data and Information Management | |
| Include account information In the recordkeeping system for securities transactions. CC ID 16632 | Leadership and high level objectives | Data and Information Management | |
| Establish, implement, and maintain securities transaction notifications. CC ID 16600 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the call date in the securities transaction notification. CC ID 16680 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include service charges and commissions in the securities transaction notification. CC ID 16702 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the call price in the securities transaction notification. CC ID 16678 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include debits and credits in the securities transaction notification. CC ID 16677 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include transactions in the securities transaction notification. CC ID 16676 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the credit rating of securities in the securities transaction notification. CC ID 16674 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include yield information in the securities transaction notification. CC ID 16673 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include redemption information in the securities transaction notification. CC ID 16672 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the price calculated from the yield in the securities transaction notification. CC ID 16669 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the type of call in the securities transaction notification. CC ID 16668 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an account statement in the securities transaction notification. CC ID 16666 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the yield to maturity in the securities transaction notification. CC ID 16665 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the execution price in the securities transaction notification. CC ID 16664 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the organization's role in the securities transaction notification. CC ID 16646 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the name of the broker in the securities transaction notification. CC ID 16647 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the name of the customer in the securities transaction notification. CC ID 16625 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the organization's name in the securities transaction notification. CC ID 16624 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include confirmations in the securities transaction notification. CC ID 16623 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include remunerations in the securities transaction notification. CC ID 16622 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include requested information in the securities transaction notification. CC ID 16641 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 | Leadership and high level objectives | Communicate | |
| Include the execution date in the securities transaction notification. CC ID 16620 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain financial reports. CC ID 14770 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the financial reporting process; Article 41 2.(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include the business need justification for lost value in the financial report. CC ID 15588 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 | Leadership and high level objectives | Communicate | |
| Include financial statements in the financial report, as necessary. CC ID 14775 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include capital deductions and adjustments in the financial statement. CC ID 16667 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include earnings per share or loss per share in the financial statement. CC ID 16597 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include material contingencies in the financial statement. CC ID 16596 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include notes to financial statements in the financial report, as necessary. CC ID 14780 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include information on loans to small businesses and small farms in the call report. CC ID 16731 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include assets and liabilities in the call report. CC ID 16729 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 | Leadership and high level objectives | Communicate | |
| Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
| Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5.] | Monitoring and measurement | Communicate | |
| Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
| Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
| Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
| Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Monitoring and measurement | Audits and Risk Management | |
| Publish a Statement of Compliance for the organization's external requirements. CC ID 12350 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the overall results of the quality assurance system shall be published annually; Article 29 1.(i)] | Audits and risk management | Communicate | |
| Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance. CC ID 12370 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor bears the full responsibility for the audit report in relation with the consolidated accounts; Article 27 ¶ 1 (a)] | Audits and risk management | Establish Roles | |
| Rotate auditors, as necessary. CC ID 15589 [Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2.] | Audits and risk management | Audits and Risk Management | |
| Withdraw the approvals of auditors, as necessary. CC ID 17260 [Approval of a statutory auditor or an audit firm shall be withdrawn if the good repute of that person or firm has been seriously compromised. Member States may, however, provide for a reasonable period of time for the purpose of meeting the requirements of good repute. Article 5 1. Approval of an audit firm shall be withdrawn if any of the conditions imposed in Article 3(4), points (b) and (c) is no longer fulfilled. Member States may, however, provide for a reasonable period of time for the purpose of fulfilling those conditions. Article 5 2. Member States shall ensure that statutory auditors or audit firms may be dismissed only where there are proper grounds. Divergence of opinions on accounting treatments or audit procedures shall not be proper grounds for dismissal. Article 38 1.] | Audits and risk management | Business Processes | |
| Notify interested personnel and affected parties of the reasons for the withdrawal of auditors. CC ID 17283 [Member States shall ensure that the audited entity and the statutory auditor or audit firm inform the authority or authorities responsible for public oversight concerning the dismissal or resignation of the statutory auditor or audit firm during the term of appointment and give an adequate explanation of the reasons therefor. Article 38 2.] | Audits and risk management | Communicate | |
| Define the qualification requirements for auditors. CC ID 17259 [The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the natural persons who carry out statutory audits on behalf of an audit firm must satisfy at least the conditions imposed by Articles 4 and 6 to 12 and must be approved as statutory auditors in the Member State concerned; Article 3 4.(a) Without prejudice to Article 11, the competent authorities of the Member States may approve as statutory auditors only natural persons who satisfy at least the conditions laid down in Articles 4 and 6 to 10. Article 3 3. The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority of the voting rights in an entity must be held by audit firms which are approved in any Member State or by natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. For the purpose of the statutory audit of cooperatives and similar entities as referred to in Article 45 of Directive 86/635/EEC, Member States may establish other specific provisions in relation to voting rights; Article 3 4.(b) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: a majority — up to a maximum of 75 % — of the members of the administrative or management body of the entity must be audit firms which are approved in any Member State or natural persons who satisfy at least the conditions imposed by Articles 4 and 6 to 12. Member States may provide that such natural persons must also have been approved in another Member State. Where such a body has no more than two members, one of those members must satisfy at least the conditions in this point; Article 3 4.(c) The competent authorities of the Member States may approve as audit firms only those entities which satisfy the following conditions: the firm must satisfy the condition imposed by Article 4. Article 3 4.(d) {audit firms} The competent authorities of a Member State may grant approval only to natural persons or firms of good repute. Article 4 ¶ 1 Without prejudice to Article 11, a natural person may be approved to carry out a statutory audit only after having attained university entrance or equivalent level, then completed a course of theoretical instruction, undergone practical training and passed an examination of professional competence of university final or equivalent examination level, organised or recognised by the Member State concerned. Article 6 ¶ 1 A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for 15 years, engaged in professional activities which have enabled him or her to acquire sufficient experience in the fields of finance, law and accountancy, and has passed the examination of professional competence referred to in Article 7, or Article 11 ¶ 1 (a) A Member State may approve a person who does not satisfy the conditions laid down in Article 6 as a statutory auditor, if he or she can show either: that he or she has, for seven years, engaged in professional activities in those fields and has, in addition, undergone the practical training referred to in Article 10 and passed the examination of professional competence referred to in Article 7. Article 11 ¶ 1 (b) The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1 In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1. Member States shall ensure that the key audit partner(s) responsible for carrying out a statutory audit rotate(s) from the audit engagement within a maximum period of seven years from the date of appointment and is/are allowed to participate in the audit of the audited entity again after a period of at least two years. Article 42 2. Subject to reciprocity, the competent authorities of a Member State may approve a third-country auditor as statutory auditor if that person has furnished proof that he or she complies with requirements equivalent to those laid down in Articles 4 and 6 to 13. Article 44 1.] | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the auditor's qualification requirements to interested personnel and affected parties. CC ID 17265 | Audits and risk management | Communicate | |
| Define and assign the external auditor's roles and responsibilities. CC ID 00683 [The statutory auditor or audit firm shall be appointed by the general meeting of shareholders or members of the audited entity. Article 37 1.] | Audits and risk management | Establish Roles | |
| Review external auditor outsourcing contracts and engagement letters. CC ID 01189 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in external auditor outsourcing contracts. CC ID 16523 | Audits and risk management | Establish/Maintain Documentation | |
| Conduct a performance review of the external auditor's performance during the audit process. CC ID 01198 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c) The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1. The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Article 32 5. Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1. {third-country audit entity} Member States shall subject registered third-country auditors and audit entities to their systems of oversight, their quality assurance systems and their systems of investigation and penalties. A Member State may exempt a registered third-country auditor or audit entity from being subject to its quality assurance system if another Member State's or third country's system of quality assurance that has been assessed as equivalent in accordance with Article 46 has carried out a quality review of the third-country auditor or audit entity concerned during the previous three years. Article 45 3.] | Audits and risk management | Audits and Risk Management | |
| Establish, implement, and maintain an audit program. CC ID 00684 [Without prejudice to the responsibility of the members of the administrative, management or supervisory bodies, or of other members who are appointed by the general meeting of shareholders of the audited entity, the audit committee shall, inter alia: monitor the statutory audit of the annual and consolidated accounts; Article 41 2.(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
| Assign the audit to impartial auditors. CC ID 07118 [Member States shall ensure that when carrying out a statutory audit, the statutory auditor and/or the audit firm is independent of the audited entity and is not involved in the decision-taking of the audited entity. Article 22 1. {alternative measures} Member States may allow alternative systems or modalities for the appointment of the statutory auditor or audit firm, provided that those systems or modalities are designed to ensure the independence of the statutory auditor or audit firm from the executive members of the administrative body or from the managerial body of the audited entity. Article 37 2.] | Audits and risk management | Establish Roles | |
| Define what constitutes a threat to independence. CC ID 16824 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and risk management | Audits and Risk Management | |
| Mitigate the threats to an auditor's independence. CC ID 17282 [Member States shall ensure that a statutory auditor or an audit firm shall not carry out a statutory audit if there is any direct or indirect financial, business, employment or other relationship — including the provision of additional non-audit services — between the statutory auditor, audit firm or network and the audited entity from which an objective, reasonable and informed third party would conclude that the statutory auditor's or audit firm's independence is compromised. If the statutory auditor's or audit firm's independence is affected by threats, such as self-review, self-interest, advocacy, familiarity or trust or intimidation, the statutory auditor or audit firm must apply safeguards in order to mitigate those threats. If the significance of the threats compared to the safeguards applied is such that his, her or its independence is compromised, the statutory auditor or audit firm shall not carry out the statutory audit. Article 22 2. ¶ 1 Member States shall ensure that a statutory auditor or audit firm documents in the audit working papers all significant threats to his, her or its independence as well as the safeguards applied to mitigate those threats. Article 22 3. {administrative bodies} {management bodies} Member States shall ensure that the owners or shareholders of an audit firm as well as the members of the administrative, management and supervisory bodies of such a firm, or of an affiliated firm, do not intervene in the execution of a statutory audit in any way which jeopardises the independence and objectivity of the statutory auditor who carries out the statutory audit on behalf of the audit firm. Article 24 ¶ 1 In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: discuss with the audit committee the threats to their independence and the safeguards applied to mitigate those threats as documented by them pursuant to Article 22(3). Article 42 1.(c)] | Audits and risk management | Process or Activity | |
| Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain audit terms. CC ID 13880 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
| Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
| Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
| Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
| Include facility locations in the audit assertion's in scope system description. CC ID 17261 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
| Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
| Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Audits and Risk Management | |
| Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
| Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
| Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
| Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Establish/Maintain Documentation | |
| Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
| Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
| Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
| Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
| Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
| Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
| Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
| Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
| Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
| Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
| Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
| Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
| Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
| Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
| Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
| Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
| Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that management has disclosed the implementation status in the representation letter. CC ID 17162 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
| Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
| Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
| Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
| Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
| Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
| Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
| Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
| Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
| Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
| Audit in scope audit items and compliance documents. CC ID 06730 [A statutory audit shall be carried out only by statutory auditors or audit firms which are approved by the Member State requiring the statutory audit. Article 3 1. Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Audits and risk management | Audits and Risk Management | |
| Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Actionable Reports or Measurements | |
| Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 [Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: those audit working papers or other documents relate to audits of companies which have issued securities in that third country or which form part of a group issuing statutory consolidated accounts in that third country; Article 47 1.(a) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer takes place via the home competent authorities to the competent authorities of that third country and at their request; Article 47 1.(b) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the competent authorities of the third country concerned meet requirements which have been declared adequate in accordance with paragraph 3; Article 47 1.(c) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned; Article 47 1.(d) Member States may allow the transfer to the competent authorities of a third country of audit working papers or other documents held by statutory auditors or audit firms approved by them, provided that: the transfer of personal data to the third country is in accordance with Chapter IV of Directive 95/46/EC. Article 47 1.(e) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: investigations have been initiated by the competent authorities in that third country; Article 47 4.(a) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the transfer does not conflict with the obligations with which statutory auditors and audit firms are required to comply in relation to the transfer of audit working papers and other documents to their home competent authority; Article 47 4.(b) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: there are working arrangements with the competent authorities of that third country that allow the competent authorities in the Member State reciprocal direct access to audit working papers and other documents of that third-country's audit entities; Article 47 4.(c) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the requesting competent authority of the third country informs in advance the home competent authority of the statutory auditor or audit firm of each direct request for information, indicating the reasons therefor; Article 47 4.(d) In exceptional cases and by way of derogation from paragraph 1, Member States may allow statutory auditors and audit firms approved by them to transfer audit working papers and other documents directly to the competent authorities of a third country, provided that: the conditions referred to in paragraph 2 are respected. Article 47 4.(e)] | Audits and risk management | Establish/Maintain Documentation | |
| Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
| Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
| Refrain from using audit evidence that is not sufficient. CC ID 17163 | Audits and risk management | Audits and Risk Management | |
| Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
| Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
| Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
| Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
| Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
| Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
| Establish and maintain work papers, as necessary. CC ID 13891 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: the group auditor carries out a review and maintains documentation of his or her review of the audit work performed by third-country auditor(s), statutory auditor(s), third-country audit entity(ies) or audit firm(s) for the purpose of the group audit. The documentation retained by the group auditor shall be such as enables the relevant competent authority to review the work of the group auditor properly; Article 27 ¶ 1 (b) The working arrangements referred to in paragraph 1(d) shall ensure that: the competent authorities of the third country may use audit working papers and other documents only for the exercise of their functions of public oversight, quality assurance and investigations that meet requirements equivalent to those of Articles 29, 30 and 32; Article 47 2.(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
| Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 [Member States shall ensure that in the case of a statutory audit of the consolidated accounts of a group of undertakings: when a component of a group of undertakings is audited by auditor(s) or audit entity(ies) from a third country that has no working arrangement as referred to in Article 47, the group auditor is responsible for ensuring proper delivery, when requested, to the public oversight authorities of the documentation of the audit work performed by the third-country auditor(s) or audit entity(ies), including the working papers relevant to the group audit. To ensure such delivery, the group auditor shall retain a copy of such documentation, or alternatively agree with the third-country auditor(s) or audit entity(ies) his proper and unrestricted access upon request, or take any other appropriate action. If legal or other impediments prevent audit working papers from being passed from a third country to the group auditor, the documentation retained by the group auditor shall include evidence that he or she has undertaken the appropriate procedures in order to gain access to the audit documentation, and in the case of impediments other than legal ones arising from country legislation, evidence supporting such an impediment. Article 27 ¶ 1 (c)] | Audits and risk management | Audits and Risk Management | |
| Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
| Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
| Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
| Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
| Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
| Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
| Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
| Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity. Article 23 3.] | Audits and risk management | Audits and Risk Management | |
| Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
| Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Establish/Maintain Documentation | |
| Include the purpose in the audit report. CC ID 17263 | Audits and risk management | Establish/Maintain Documentation | |
| Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
| Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
| Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
| Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
| Include written agreements in the audit report. CC ID 17266 | Audits and risk management | Establish/Maintain Documentation | |
| Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
| Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
| Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
| Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: disclose annually to the audit committee any additional services provided to the audited entity; and Article 42 1.(b)] | Audits and risk management | Actionable Reports or Measurements | |
| Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
| Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
| Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
| Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
| Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
| Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
| Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
| Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
| Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
| Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
| Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
| Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Establish/Maintain Documentation | |
| Include the cost of corrective action in the audit report. CC ID 17015 | Audits and risk management | Audits and Risk Management | |
| Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
| Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
| Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
| Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
| Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
| Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
| Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of the business impact analysis in the audit report. CC ID 17208 | Audits and risk management | Establish/Maintain Documentation | |
| Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
| Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
| Include the written signature of the auditor's organization in the audit report. CC ID 13897 [Where an audit firm carries out the statutory audit, the audit report shall be signed by at least the statutory auditor(s) carrying out the statutory audit on behalf of the audit firm. In exceptional circumstances Member States may provide that this signature need not be disclosed to the public if such disclosure could lead to an imminent and significant threat to the personal security of any person. In any case the name(s) of the person(s) involved shall be known to the relevant competent authorities. Article 28 1.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
| Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
| Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
| Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
| Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 [If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. Article 29 1. ¶ 1 Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. Article 30 1.] | Audits and risk management | Establish/Maintain Documentation | |
| Assess the quality of the audit program in regards to its documentation. CC ID 11622 [Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f) Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; Article 29 1.(f)] | Audits and risk management | Audits and Risk Management | |
| Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
| Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
| Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
| Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
| Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
| Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
| Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
| Establish, implement, and maintain a disclosure report. CC ID 15521 [The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. Article 32 6.] | Audits and risk management | Establish/Maintain Documentation | |
| Include a summary of the questions and statements from surveys or studies in the disclosure report. CC ID 15631 | Audits and risk management | Establish/Maintain Documentation | |
| Include a statement that confidential information has been omitted in the disclosure report. CC ID 16598 | Audits and risk management | Establish/Maintain Documentation | |
| Include legal proceedings in the disclosure report. CC ID 15564 | Audits and risk management | Establish/Maintain Documentation | |
| Include the context of monetary losses from legal proceedings in the disclosure report. CC ID 15533 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of monetary losses from legal proceedings in the disclosure report. CC ID 15532 | Audits and risk management | Establish/Maintain Documentation | |
| Include goals and targets in the disclosure report. CC ID 16339 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the governance, risk, and compliance approach in the disclosure report. CC ID 16024 | Audits and risk management | Establish/Maintain Documentation | |
| Include the relationship between organizational requirements and external requirements in the disclosure report. CC ID 16154 | Audits and risk management | Establish/Maintain Documentation | |
| Include external requirements in the disclosure report. CC ID 16150 | Audits and risk management | Establish/Maintain Documentation | |
| Include the classification of risks and opportunities posed by climate change in the disclosure report. CC ID 16096 | Audits and risk management | Establish/Maintain Documentation | |
| Include board oversight of risks and opportunities in the disclosure report. CC ID 16337 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management procedures in the disclosure report. CC ID 16058 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risk management strategy in the disclosure report. CC ID 16348 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk assessment procedures in the disclosure report. CC ID 16343 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's primary activities in the disclosure report. CC ID 16043 | Audits and risk management | Establish/Maintain Documentation | |
| Include business operations owned by the organization in the disclosure report. CC ID 15614 | Audits and risk management | Establish/Maintain Documentation | |
| Include critical business operations that support cloud services in the disclosure report. CC ID 15612 | Audits and risk management | Establish/Maintain Documentation | |
| Include the relationship between the tax strategy and the organizational strategy in the disclosure report. CC ID 16035 | Audits and risk management | Establish/Maintain Documentation | |
| Include reference to assurance statements in the disclosure report. CC ID 16033 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: an indication of when the last quality assurance review referred to in Article 29 took place; Article 40 1.(e)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of assurance processes in the disclosure report. CC ID 16031 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the internal quality control system of the audit firm and a statement by the administrative or management body on the effectiveness of its functioning; Article 40 1.(d)] | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics in the disclosure report. CC ID 15916 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on diversity and equal opportunity in the disclosure report. CC ID 15934 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals in each racial group or ethnic group in the disclosure report. CC ID 15632 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals in specified age groups in the disclosure report. CC ID 15871 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of individuals in each region in the disclosure report. CC ID 15835 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of individuals in each gender category in the disclosure report. CC ID 15633 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of incidents of discrimination in the disclosure report. CC ID 15788 | Audits and risk management | Establish/Maintain Documentation | |
| Include the ratio of the basic salary and remuneration of women and men in the disclosure report. CC ID 15869 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals in specified diversity categories in the disclosure report. CC ID 15870 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics criteria in the disclosure report. CC ID 16143 | Audits and risk management | Establish/Maintain Documentation | |
| Include risk management metrics in the disclosure report. CC ID 16345 | Audits and risk management | Establish/Maintain Documentation | |
| Include financial management metrics in the disclosure report. CC ID 16042 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: financial information showing the importance of the audit firm, such as the total turnover divided into fees from the statutory audit of annual and consolidated accounts, and fees charged for other assurance services, tax advisory services and other non-audit services; Article 40 1.(i)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of financial assistance received from the government in the disclosure report. CC ID 16104 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on anti-corruption in the disclosure report. CC ID 16052 | Audits and risk management | Establish/Maintain Documentation | |
| Include environmental management metrics in the disclosure report. CC ID 16012 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown, by extinction risk, of the listed species with habitats in areas affected by organizational operations in the disclosure report. CC ID 16041 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on procurement practices in the disclosure report. CC ID 16011 | Audits and risk management | Establish/Maintain Documentation | |
| Include emissions management metrics in the disclosure report. CC ID 15987 | Audits and risk management | Establish/Maintain Documentation | |
| Include compliance metrics in the disclosure report. CC ID 15932 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total amount of monetary losses from legal proceedings in the disclosure report. CC ID 15548 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of incidents of non-compliance in the disclosure report. CC ID 15813 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on labor-management relations in the disclosure report. CC ID 15935 | Audits and risk management | Establish/Maintain Documentation | |
| Include the minimum number of weeks' notice provided to employees and their representatives prior to the implementation of significant operational changes that could substantially affect them in the disclosure report. CC ID 15895 | Audits and risk management | Establish/Maintain Documentation | |
| Include waste management metrics in the disclosure report. CC ID 15925 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of hazardous waste directed to disposal in the disclosure report. CC ID 15774 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of waste generated in the disclosure report. CC ID 15778 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of hazardous waste directed to disposal in the disclosure report. CC ID 15781 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of waste generated in the disclosure report. CC ID 15775 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of non-hazardous waste directed to disposal in the disclosure report. CC ID 15772 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of non-hazardous waste directed to disposal in the disclosure report. CC ID 15780 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15770 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of non-hazardous waste diverted from disposal in the disclosure report. CC ID 15771 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of waste diverted from disposal in the disclosure report. CC ID 15766 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of waste diverted from disposal the disclosure report. CC ID 15767 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of hazardous waste diverted from disposal in the disclosure report. CC ID 15768 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of hazardous waste diverted from disposal in the disclosure report. CC ID 15769 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight of waste directed to disposal in the disclosure report. CC ID 15777 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of waste directed to disposal in the disclosure report. CC ID 15776 | Audits and risk management | Establish/Maintain Documentation | |
| Include product and service management metrics in the disclosure report. CC ID 15917 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of products and services provided by the organization in the disclosure report. CC ID 15833 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of product or service categories assessed for compliance in the disclosure report. CC ID 15811 | Audits and risk management | Establish/Maintain Documentation | |
| Include water management metrics in the disclosure report. CC ID 15924 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water withdrawal in the disclosure report. CC ID 15593 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15596 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of water withdrawal from locations with significant baseline water stress in the disclosure report. CC ID 15794 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of water withdrawal in the disclosure report. CC ID 15795 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water discharge in the disclosure report. CC ID 15758 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of water discharge in the disclosure report. CC ID 15759 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15760 | Audits and risk management | Establish/Maintain Documentation | |
| Include a breakdown of water discharge to locations with significant baseline water stress in the disclosure report. CC ID 15797 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water consumption in the disclosure report. CC ID 15642 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total water consumption in locations with significant baseline water stress in the disclosure report. CC ID 15598 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of complaints received in the disclosure report. CC ID 15728 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals involved in the study or survey in the disclosure report. CC ID 15643 | Audits and risk management | Establish/Maintain Documentation | |
| Include employment practices metrics in the disclosure report. CC ID 15921 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: information concerning the basis for the partners' remuneration. Article 40 1.(j)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of employees that are foreign nationals in the disclosure report. CC ID 15622 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of offshore employees in the disclosure report. CC ID 15623 | Audits and risk management | Actionable Reports or Measurements | |
| Include the percentage of employee engagement in the disclosure report. CC ID 15634 | Audits and risk management | Actionable Reports or Measurements | |
| Include the rate of employee turnover in the disclosure report. CC ID 15898 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of new employee hires in the disclosure report. CC ID 15896 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of employees in the disclosure report. CC ID 15834 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on parental leave in the disclosure report. CC ID 15936 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of employees that returned to work after parental leave ended that were still employed twelve months after their return to work in the disclosure report. CC ID 15906 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of hours worked in the disclosure report. CC ID 15910 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on public policy advocacy in the disclosure report. CC ID 15947 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total monetary value of political contributions in the disclosure report. CC ID 15803 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on training and education in the disclosure report. CC ID 15940 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of total employees who received a performance review in the disclosure report. CC ID 15877 | Audits and risk management | Establish/Maintain Documentation | |
| Include the average hours of training undertaken by employees in the disclosure report. CC ID 15881 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of security personnel who have received training on human rights policies and their application to security in the disclosure report. CC ID 15726 | Audits and risk management | Actionable Reports or Measurements | |
| Include operational metrics in the disclosure report. CC ID 15939 | Audits and risk management | Establish/Maintain Documentation | |
| Include incident management metrics in the disclosure report. CC ID 15926 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of service disruptions in services provided to users in the disclosure report. CC ID 15618 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total user downtime in the disclosure report. CC ID 15635 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of performance issues in services provided to users in the disclosure report. CC ID 15606 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of operations performed by the organization in the disclosure report. CC ID 15831 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on information privacy and freedom of expression in the disclosure report. CC ID 15933 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of content removal requests with which the organization complied in the disclosure report. CC ID 15649 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of individuals whose personal data is maintained in the disclosure report. CC ID 16792 | Audits and risk management | Actionable Reports or Measurements | |
| Include the number of individuals whose information is used for secondary purposes in the disclosure report. CC ID 15557 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of leaks, thefts, or losses of restricted data in the disclosure report. CC ID 15729 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of content removal requests in the disclosure report. CC ID 15647 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of individuals affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15640 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of unique requests for an individual's information in the disclosure report. CC ID 15542 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of data breaches which involved personal data in the disclosure report. CC ID 15543 | Audits and risk management | Establish/Maintain Documentation | |
| Include third party management metrics in the disclosure report. CC ID 15923 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of contractors and outsource partners in the disclosure report. CC ID 15837 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on supplier environmental assessments in the disclosure report. CC ID 15937 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which improvements were agreed upon as a result of assessment in the disclosure report. CC ID 15884 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of suppliers identified as having significant negative environmental impacts with which relationships were terminated as a result of assessment in the disclosure report. CC ID 15883 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of suppliers assessed for environmental impacts in the disclosure report. CC ID 15886 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of suppliers identified as having significant negative environmental impacts in the disclosure report. CC ID 15885 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of new suppliers that were screened using environmental criteria in the disclosure report. CC ID 15887 | Audits and risk management | Establish/Maintain Documentation | |
| Include metrics on supplier social assessments in the disclosure report. CC ID 15938 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of new suppliers that were screened using social criteria in the disclosure report. CC ID 15808 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of suppliers with significant negative social impacts in the disclosure report. CC ID 15807 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of suppliers with significant negative social impacts with which improvements were agreed upon in the disclosure report. CC ID 15806 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of suppliers having significant negative social impacts with which relationships were terminated in the disclosure report. CC ID 15805 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of suppliers assessed for social impacts in the disclosure report. CC ID 15810 | Audits and risk management | Establish/Maintain Documentation | |
| Include customer health and safety management metrics in the disclosure report. CC ID 15922 | Audits and risk management | Establish/Maintain Documentation | |
| Include the percentage of product or service categories for which health and safety impacts are assessed for improvement in the disclosure report. CC ID 15814 | Audits and risk management | Establish/Maintain Documentation | |
| Include energy management metrics in the disclosure report. CC ID 15920 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total energy reduction in the disclosure report. CC ID 15749 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total amount of reductions in the energy requirements of products and services in the disclosure report. CC ID 15751 | Audits and risk management | Establish/Maintain Documentation | |
| Exclude energy reduction resulting from reduced production capacity or outsourcing in the disclosure report. CC ID 15750 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total heating sold in the disclosure report. CC ID 15739 | Audits and risk management | Establish/Maintain Documentation | |
| Include the energy intensity ratio in the disclosure report. CC ID 15735 | Audits and risk management | Actionable Reports or Measurements | |
| Include the total fuel consumption from non-renewable energy sources in the disclosure report. CC ID 15746 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total electricity sold in the disclosure report. CC ID 15740 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total energy consumption in the disclosure report. CC ID 15506 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total fuel consumption from renewable energy sources in the disclosure report. CC ID 15744 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total heating consumption in the disclosure report. CC ID 15743 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total cooling sold in the disclosure report. CC ID 15738 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total cooling consumption in the disclosure report. CC ID 15742 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total steam sold in the disclosure report. CC ID 15737 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total steam consumption in the disclosure report. CC ID 15741 | Audits and risk management | Establish/Maintain Documentation | |
| Include the fuel types used in the disclosure report. CC ID 15745 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials management metrics in the disclosure report. CC ID 15919 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight or volume of renewable materials used by the organization in the disclosure report. CC ID 15791 | Audits and risk management | Establish/Maintain Documentation | |
| Include the weight of recovered materials through product take-back programs and recycling services in the disclosure report. CC ID 15562 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total weight or volume of non-renewable materials used by the organization in the disclosure report. CC ID 15792 | Audits and risk management | Establish/Maintain Documentation | |
| Include occupational health and safety management metrics in the disclosure report. CC ID 15918 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of employees and non-employees covered by the occupational health and safety management system in the disclosure report. CC ID 15891 | Audits and risk management | Establish/Maintain Documentation | |
| Include the total number of work-related injuries in the disclosure report. CC ID 15899 | Audits and risk management | Establish/Maintain Documentation | |
| Include the number of cases of work-related ill health in the disclosure report. CC ID 15914 | Audits and risk management | Establish/Maintain Documentation | |
| Include outsourcing arrangements in the disclosure report. CC ID 15621 | Audits and risk management | Establish/Maintain Documentation | |
| Include business operations outsourced to third parties in the disclosure report. CC ID 15616 | Audits and risk management | Establish/Maintain Documentation | |
| Include how material topics are managed in the disclosure report. CC ID 15657 | Audits and risk management | Establish/Maintain Documentation | |
| Include disclosures for each material topic in the disclosure report. CC ID 15658 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages privacy in the disclosure report. CC ID 15785 | Audits and risk management | Establish/Maintain Documentation | |
| Include the content removal policy in the disclosure report. CC ID 15650 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of management approval required for content removal requests in the disclosure report. CC ID 15653 | Audits and risk management | Establish/Maintain Documentation | |
| Include requirements for content removal requests in the disclosure report. CC ID 15652 | Audits and risk management | Establish/Maintain Documentation | |
| Include the conditions for denying content removal requests in the disclosure report. CC ID 15651 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of content removal requests in the disclosure report. CC ID 15648 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of data subjects in the disclosure report. CC ID 16791 | Audits and risk management | Establish/Maintain Documentation | |
| Include the categories of personal data maintained by the organization in the disclosure report. CC ID 16790 | Audits and risk management | Establish/Maintain Documentation | |
| Include a business need justification for personal data processing in the disclosure report. CC ID 16788 | Audits and risk management | Establish/Maintain Documentation | |
| Include the personal data use purpose specification in the disclosure report. CC ID 16786 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the information systems that process personal data in the disclosure report. CC ID 16784 | Audits and risk management | Establish/Maintain Documentation | |
| Include the policies and procedures related to freedom of expression in the disclosure report. CC ID 15604 | Audits and risk management | Establish/Maintain Documentation | |
| Include dispute resolution quality measures in the disclosure report. CC ID 16312 | Audits and risk management | Establish/Maintain Documentation | |
| Include all data requests that resulted in compliance with the disclosure request in the disclosure report. CC ID 15547 | Audits and risk management | Establish/Maintain Documentation | |
| Include individuals whose information is provided to third parties for secondary purposes in the disclosure report. CC ID 15559 | Audits and risk management | Establish/Maintain Documentation | |
| Include the disclosure of aggregated, de-identified, and anonymized data to the requesting party in the disclosure report. CC ID 15570 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages records in the disclosure report. CC ID 16787 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages anti-corruption in the disclosure report. CC ID 16055 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of incidents of corruption in the disclosure report. CC ID 16067 | Audits and risk management | Establish/Maintain Documentation | |
| Include significant risks related to corruption in the disclosure report. CC ID 16065 | Audits and risk management | Establish/Maintain Documentation | |
| Include the interested personnel and affected parties to whom the anti-corruption program has been communicated in the disclosure report. CC ID 16064 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages economic performance in the disclosure report. CC ID 16054 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks and opportunities posed by climate change in the disclosure report. CC ID 16060 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for reporting financial data on a cash basis in the disclosure report. CC ID 16059 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages biodiversity in the disclosure report. CC ID 15986 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether habitat restoration measures have been approved by independent external professionals in the disclosure report. CC ID 16075 | Audits and risk management | Establish/Maintain Documentation | |
| Include the condition of habitat areas protected or restored by the organization in the disclosure report. CC ID 16040 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether third party relationships exist to protect or restore habitat areas in the disclosure report. CC ID 16039 | Audits and risk management | Establish/Maintain Documentation | |
| Include the biodiversity value of operational sites in the disclosure report. CC ID 16034 | Audits and risk management | Establish/Maintain Documentation | |
| Include the type of operations near areas of high biodiversity value in the disclosure report. CC ID 16025 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of operational sites near areas of high biodiversity value in the disclosure report. CC ID 16020 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of habitat areas protected or restored by the organization in the disclosure report. CC ID 16018 | Audits and risk management | Establish/Maintain Documentation | |
| Include the species impacted by organizational activities, products, and services in the disclosure report. CC ID 16015 | Audits and risk management | Establish/Maintain Documentation | |
| Include underground land owned by the organization near areas of high biodiversity value in the disclosure report. CC ID 16014 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages taxes in the disclosure report. CC ID 15985 | Audits and risk management | Establish/Maintain Documentation | |
| Include the frequency of tax strategy reviews in the disclosure report. CC ID 16074 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for differences between corporate income tax accrued and tax due in the disclosure report. CC ID 16051 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax jurisdictions in the disclosure report. CC ID 16047 | Audits and risk management | Establish/Maintain Documentation | |
| Include the roles and responsibilities assigned to tax governance and control in the disclosure report. CC ID 16030 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax strategy in the disclosure report. CC ID 16029 | Audits and risk management | Establish/Maintain Documentation | |
| Include the tax governance and control framework in the disclosure report. CC ID 16028 | Audits and risk management | Establish/Maintain Documentation | |
| Include the management of tax risks in the disclosure report. CC ID 16026 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages market presence in the disclosure report. CC ID 15983 | Audits and risk management | Establish/Maintain Documentation | |
| Include the actions taken to determine whether workers are paid above minimum wage in the disclosure report. CC ID 16056 | Audits and risk management | Establish/Maintain Documentation | |
| Include the local minimum wage in the disclosure report. CC ID 15992 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages anti-competitive behavior in the disclosure report. CC ID 15981 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages procurement practices in the disclosure report. CC ID 15980 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages indirect economic impacts in the disclosure report. CC ID 15979 | Audits and risk management | Establish/Maintain Documentation | |
| Include service and infrastructure investments that benefit the public in the disclosure report. CC ID 15984 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages emissions in the disclosure report. CC ID 15970 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks related to greenhouse gas emissions in the disclosure report. CC ID 16338 | Audits and risk management | Establish/Maintain Documentation | |
| Include the emissions management plan in the disclosure report. CC ID 16177 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of the emissions management plan in the disclosure report. CC ID 16168 | Audits and risk management | Establish/Maintain Documentation | |
| Include emission reduction targets in the disclosure report. CC ID 16148 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of emission reduction targets in the disclosure report. CC ID 16149 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of greenhouse gas emissions in the disclosure report. CC ID 16147 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of carbon offsets in the disclosure report. CC ID 15988 | Audits and risk management | Establish/Maintain Documentation | |
| Include the design and development of data centers in the disclosure report. CC ID 15620 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of countries or geographical regions where the organization's products and services are monitored, blocked, or filtered in the disclosure report. CC ID 15601 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of products affected by monitoring, blocking, or filtering in the disclosure report. CC ID 15641 | Audits and risk management | Establish/Maintain Documentation | |
| Include the implications of blocking or censorship on an organization's products and services in the disclosure report. CC ID 15639 | Audits and risk management | Establish/Maintain Documentation | |
| Identify products and services affected by monitoring or blocking in the disclosure report. CC ID 15638 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons modifications were made to existing products and services in the disclosure report. CC ID 15637 | Audits and risk management | Establish/Maintain Documentation | |
| Include the differences between products and services being offered in different markets in the disclosure report. CC ID 15636 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages customer health and safety in the disclosure report. CC ID 15801 | Audits and risk management | Establish/Maintain Documentation | |
| Include the nature of complaints received in the disclosure report. CC ID 15844 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages child labor in the disclosure report. CC ID 15851 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for incidents of child labor in the disclosure report. CC ID 15864 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for incidents of child labor in the disclosure report. CC ID 15863 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15862 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for exposing young workers to hazardous work in the disclosure report. CC ID 15861 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations that are at risk for incidents of child labor in the disclosure report. CC ID 15860 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to abolish child labor in the disclosure report. CC ID 15859 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages diversity and equal opportunity in the disclosure report. CC ID 15853 | Audits and risk management | Establish/Maintain Documentation | |
| Include the employee representation program in the disclosure report. CC ID 15628 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages marketing and labeling in the disclosure report. CC ID 15802 | Audits and risk management | Establish/Maintain Documentation | |
| Include the information required by the product and service information and labeling procedures in the disclosure report. CC ID 15812 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages occupational health and safety in the disclosure report. CC ID 15888 | Audits and risk management | Establish/Maintain Documentation | |
| Include the workers covered by the occupational health and safety management system in the disclosure report. CC ID 16151 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of voluntary health promotion programs in the disclosure report. CC ID 16119 | Audits and risk management | Establish/Maintain Documentation | |
| Include the main types of work-related ill health in the disclosure report. CC ID 15961 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of formal joint management-worker health and safety committees in the disclosure report. CC ID 15913 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons workers are not represented by formal joint management-worker health and safety committees in the disclosure report. CC ID 15912 | Audits and risk management | Establish/Maintain Documentation | |
| Include work-related hazards in the disclosure report. CC ID 15911 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the occupational health and safety risk assessment process in the disclosure report. CC ID 15909 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of occupational health and safety training in the disclosure report. CC ID 15908 | Audits and risk management | Establish/Maintain Documentation | |
| Include how occupational health and safety information is disseminated and communicated in the disclosure report. CC ID 15907 | Audits and risk management | Establish/Maintain Documentation | |
| Include the occupational health and safety risk reporting process in the disclosure report. CC ID 15904 | Audits and risk management | Establish/Maintain Documentation | |
| Include the occupational health and safety policy in the disclosure report. CC ID 15905 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to investigate work-related incidents in the disclosure report. CC ID 15903 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the occupational health and safety management system in the disclosure report. CC ID 15901 | Audits and risk management | Establish/Maintain Documentation | |
| Include the main types of work-related injury in the disclosure report. CC ID 15959 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages forced or compulsory labor in the disclosure report. CC ID 15850 | Audits and risk management | Establish/Maintain Documentation | |
| Include operations with a risk for forced or compulsory labor in the disclosure report. CC ID 15858 | Audits and risk management | Establish/Maintain Documentation | |
| Include third parties with a risk for forced or compulsory labor in the disclosure report. CC ID 15857 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations with a risk for forced or compulsory labor in the disclosure report. CC ID 15856 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to eliminate forced or compulsory labor in the disclosure report. CC ID 15855 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to protect whistleblowers against retaliation in the disclosure report. CC ID 15902 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages employment in the disclosure report. CC ID 15890 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks of recruiting foreign nationals and offshore employees in the disclosure report. CC ID 15624 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for reporting near misses in the disclosure report. CC ID 16211 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent to which benefit plan liabilities are covered in the disclosure report. CC ID 16109 | Audits and risk management | Establish/Maintain Documentation | |
| Include the level of participation in benefit plans in the disclosure report. CC ID 16057 | Audits and risk management | Establish/Maintain Documentation | |
| Include the Code of Conduct in the disclosure report. CC ID 16205 | Audits and risk management | Establish/Maintain Documentation | |
| Include the standard benefits for full-time employees in the disclosure report. CC ID 15897 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages labor-management relations in the disclosure report. CC ID 15889 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of work stoppages in the disclosure report. CC ID 16215 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reason for each work stoppage in the disclosure report. CC ID 16213 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact of work stoppages in the disclosure report. CC ID 16212 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of collective bargaining agreements in the disclosure report. CC ID 15894 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages supplier environmental assessment in the disclosure report. CC ID 15876 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons why relationships were terminated with suppliers having significant negative environmental impacts in the disclosure report. CC ID 15882 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages training and education in the disclosure report. CC ID 15875 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement on the policy followed by the audit firm concerning the continuing education of statutory auditors referred to in Article 13; Article 40 1.(h)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of professional development programs in the disclosure report. CC ID 15880 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of professional development assistance in the disclosure report. CC ID 15879 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of transition assistance programs in the disclosure report. CC ID 15878 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages freedom of association and collective bargaining in the disclosure report. CC ID 15852 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of operations in which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15868 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of third parties for which workers' rights to exercise freedom of association and collective bargaining may be violated in the disclosure report. CC ID 15867 | Audits and risk management | Establish/Maintain Documentation | |
| Include the locations at risk of violating workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15866 | Audits and risk management | Establish/Maintain Documentation | |
| Include the measures taken to support workers' rights to exercise freedom of association and collective bargaining in the disclosure report. CC ID 15865 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages waste in the disclosure report. CC ID 15765 | Audits and risk management | Establish/Maintain Documentation | |
| Include the material of spills in the disclosure report. CC ID 15968 | Audits and risk management | Establish/Maintain Documentation | |
| Include the location of spills in the disclosure report. CC ID 15964 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages the rights of indigenous peoples in the disclosure report. CC ID 15849 | Audits and risk management | Establish/Maintain Documentation | |
| Include products that contain declarable substances in the disclosure report. CC ID 16161 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages supplier social assessment in the disclosure report. CC ID 15799 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reason why relationships were terminated with suppliers having significant negative social impacts in the disclosure report. CC ID 15804 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages energy in the disclosure report. CC ID 15783 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of energy affected by energy reduction in the disclosure report. CC ID 15731 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of renewable energy in the disclosure report. CC ID 15509 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of energy consumption in the disclosure report. CC ID 15508 | Audits and risk management | Establish/Maintain Documentation | |
| Include the types of energy used in the disclosure report. CC ID 15748 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from double-counting fuel consumption, as necessary. CC ID 15736 | Audits and risk management | Process or Activity | |
| Include energy efficiency considerations in product design and development in the disclosure report. CC ID 16155 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages public policy in the disclosure report. CC ID 15800 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages materials in the disclosure report. CC ID 15782 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of recovered material in the disclosure report. CC ID 16204 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials that present a risk to operations in the disclosure report. CC ID 16173 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risks represented by materials in the disclosure report. CC ID 16171 | Audits and risk management | Establish/Maintain Documentation | |
| Include the risk management approach to the use of materials in the disclosure report. CC ID 16169 | Audits and risk management | Establish/Maintain Documentation | |
| Include management of the availability of materials in the disclosure report. CC ID 16167 | Audits and risk management | Establish/Maintain Documentation | |
| Include management of the price of materials in the disclosure report. CC ID 16165 | Audits and risk management | Establish/Maintain Documentation | |
| Include the business activities that use declarable substances in the disclosure report. CC ID 16158 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages declarable substances in the disclosure report. CC ID 16156 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages non-discrimination in the disclosure report. CC ID 15764 | Audits and risk management | Establish/Maintain Documentation | |
| Include the status of incidents of discrimination in the disclosure report. CC ID 15790 | Audits and risk management | Establish/Maintain Documentation | |
| Include corrective actions taken for incidents of discrimination in the disclosure report. CC ID 15789 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of incidents of discrimination in the disclosure report. CC ID 15787 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents of discrimination no longer subject to action in the disclosure report. CC ID 15786 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages local communities in the disclosure report. CC ID 15798 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of local community consultation committees in the disclosure report. CC ID 15821 | Audits and risk management | Establish/Maintain Documentation | |
| Include the results of impact assessments in the disclosure report. CC ID 15820 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of community development programs in the disclosure report. CC ID 15818 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the impact assessments in the disclosure report. CC ID 15817 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of worker representation bodies in the disclosure report. CC ID 15816 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of local community grievance processes in the disclosure report. CC ID 15815 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization manages security practices in the disclosure report. CC ID 15784 | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in the frequency of incidents in the disclosure report. CC ID 15511 | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in the origination of incidents in the disclosure report. CC ID 15512 | Audits and risk management | Establish/Maintain Documentation | |
| Include trends in incident type in the disclosure report. CC ID 15510 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how the organization interacts with water in the disclosure report. CC ID 15752 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water consumption in the disclosure report. CC ID 15754 | Audits and risk management | Establish/Maintain Documentation | |
| Include changes in water storage in the disclosure report. CC ID 15762 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water discharge in the disclosure report. CC ID 15755 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of water withdrawal in the disclosure report. CC ID 15753 | Audits and risk management | Establish/Maintain Documentation | |
| Include the priority substances of concern for which water discharge is treated in the disclosure report. CC ID 15761 | Audits and risk management | Establish/Maintain Documentation | |
| Include the effluent discharge standards in the disclosure report. CC ID 15757 | Audits and risk management | Establish/Maintain Documentation | |
| Include water quality standards in the disclosure report. CC ID 15756 | Audits and risk management | Establish/Maintain Documentation | |
| Include business continuity risks in the disclosure report. CC ID 15608 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents in which encrypted data were acquired with a valid encryption key in the disclosure report. CC ID 15546 | Audits and risk management | Establish/Maintain Documentation | |
| Include recycling in the disclosure report. CC ID 15579 | Audits and risk management | Establish/Maintain Documentation | |
| Include the scope of recycled material in the disclosure report. CC ID 16153 | Audits and risk management | Establish/Maintain Documentation | |
| Include donated materials or refurbished materials in the disclosure report. CC ID 15561 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials being physically handled by third parties for reuse, recycling, or refurbishment in the disclosure report. CC ID 15577 | Audits and risk management | Establish/Maintain Documentation | |
| Include materials being physically handled by the organization for reuse, recycling, or refurbishment in the disclosure report. CC ID 15575 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reuse of materials recovered in the disclosure report. CC ID 15566 | Audits and risk management | Establish/Maintain Documentation | |
| Include products, materials, and parts at the end of their useful life in the disclosure report. CC ID 15553 | Audits and risk management | Establish/Maintain Documentation | |
| Exclude products and parts waiting for repair and under warranty in the disclosure report. CC ID 15551 | Audits and risk management | Establish/Maintain Documentation | |
| Include all monetary liabilities to third parties in the disclosure report. CC ID 15572 | Audits and risk management | Establish/Maintain Documentation | |
| Include both first-party advertising and third-party advertising in the disclosure report. CC ID 15554 | Audits and risk management | Establish/Maintain Documentation | |
| Include the corrective action plan in the disclosure report. CC ID 15900 | Audits and risk management | Establish/Maintain Documentation | |
| Include the costs of corrective actions in the disclosure report. CC ID 16098 | Audits and risk management | Establish/Maintain Documentation | |
| Include exclusions from the scope of disclosure for each material topic in the disclosure report. CC ID 15893 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for each exclusion from the scope of disclosure for each material topic in the disclosure report. CC ID 15892 | Audits and risk management | Establish/Maintain Documentation | |
| Include incidents with indications that encrypted data could be readily converted to plain text in the disclosure report. CC ID 15544 | Audits and risk management | Establish/Maintain Documentation | |
| Limit disclosures to data breaches that resulted in a deviation from expected outcomes for confidentiality or integrity in the disclosure report. CC ID 15545 | Audits and risk management | Establish/Maintain Documentation | |
| Limit the disclosure of breaches to those in which the individuals were notified in the disclosure report. CC ID 15550 | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosures to wireless communications services in the disclosure report. CC ID 15555 | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosures to wireline communications services in the disclosure report. CC ID 15556 | Audits and risk management | Establish/Maintain Documentation | |
| Restrict disclosure to Internet Service Provider services in the disclosure report. CC ID 15569 | Audits and risk management | Establish/Maintain Documentation | |
| Exclude legal fees and expenses used for defense in the disclosure report. CC ID 15571 | Audits and risk management | Establish/Maintain Documentation | |
| Include the external requirements to which third parties are compliant in the disclosure report. CC ID 15573 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact of monitoring, blocking, or filtering products and services in the disclosure report. CC ID 15602 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reclassification of Internet Service Providers in the disclosure report. CC ID 15576 | Audits and risk management | Establish/Maintain Documentation | |
| Include non-monetary sanctions in the disclosure report. CC ID 15872 | Audits and risk management | Establish/Maintain Documentation | |
| Include business activities that negatively impact the target environment in the disclosure report. CC ID 15683 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's name in the disclosure report. CC ID 15668 | Audits and risk management | Establish/Maintain Documentation | |
| Include the time period in which privacy breaches occurred in the disclosure report. CC ID 15730 | Audits and risk management | Establish/Maintain Documentation | |
| Include the metrics used to track how material topics and related impacts are managed in the disclosure report. CC ID 15686 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process used to track the effectiveness of corrective actions taken to manage material topics and related impacts in the disclosure report. CC ID 15687 | Audits and risk management | Establish/Maintain Documentation | |
| Include a list of material topics in the disclosure report. CC ID 15656 | Audits and risk management | Establish/Maintain Documentation | |
| Include changes to the list of material topics in the disclosure report. CC ID 15681 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to monitor material topics and related impacts in the disclosure report. CC ID 15819 | Audits and risk management | Establish/Maintain Documentation | |
| Include policies and commitments regarding each material topic in the disclosure report. CC ID 15684 | Audits and risk management | Establish/Maintain Documentation | |
| Include a commitment to preserve human rights in the disclosure report. CC ID 15854 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reasons that policies and commitments are not publicly available in the disclosure report. CC ID 15873 | Audits and risk management | Establish/Maintain Documentation | |
| Include how the impacts related to material topics are managed in the disclosure report. CC ID 15685 | Audits and risk management | Establish/Maintain Documentation | |
| Include the individuals who helped determine the material topics in the disclosure report. CC ID 15680 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impacts related to each material topic in the disclosure report. CC ID 15682 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reversibility or irreversibility of impacts in the disclosure report. CC ID 16037 | Audits and risk management | Establish/Maintain Documentation | |
| Include the impact duration in the disclosure report. CC ID 16036 | Audits and risk management | Establish/Maintain Documentation | |
| Include the extent of impacts in the disclosure report. CC ID 16016 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for determining material topics in the disclosure report. CC ID 15655 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including the same data in other required disclosures, as necessary. CC ID 15732 | Audits and risk management | Establish/Maintain Documentation | |
| Include the process for setting goals and targets in the disclosure report. CC ID 15763 | Audits and risk management | Establish/Maintain Documentation | |
| Include risks to the achievement of goals and targets in the disclosure report. CC ID 16166 | Audits and risk management | Establish/Maintain Documentation | |
| Include the timelines for achieving goals and targets in the disclosure report. CC ID 16164 | Audits and risk management | Establish/Maintain Documentation | |
| Include the mechanisms for achieving goals and targets in the disclosure report. CC ID 16144 | Audits and risk management | Establish/Maintain Documentation | |
| Include the progress towards goals and targets in the disclosure report. CC ID 15688 | Audits and risk management | Establish/Maintain Documentation | |
| Include a justification for disclosures that do not reconcile with data reported in other required disclosures in the disclosure report. CC ID 16053 | Audits and risk management | Establish/Maintain Documentation | |
| Include historical information and future-oriented information in the disclosure report. CC ID 16336 | Audits and risk management | Establish/Maintain Documentation | |
| Include preventive actions in the disclosure report. CC ID 15796 | Audits and risk management | Establish/Maintain Documentation | |
| Include the methodology for reporting future-oriented information in the disclosure report. CC ID 16335 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reporting period in the disclosure report. CC ID 15661 | Audits and risk management | Establish/Maintain Documentation | |
| Include restatements of information from previous reporting periods and an explanation for their use in the disclosure report. CC ID 15827 | Audits and risk management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the disclosure report. CC ID 15846 | Audits and risk management | Establish/Maintain Documentation | |
| Include the organization's location in the disclosure report. CC ID 16311 | Audits and risk management | Establish/Maintain Documentation | |
| Include how conflicts of interest in roles are handled in the disclosure report. CC ID 15848 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a statement concerning the audit firm's independence practices which also confirms that an internal review of independence compliance has been conducted; Article 40 1.(g)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the reporting structure in the disclosure report. CC ID 15845 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of whistleblowing mechanisms in the disclosure report. CC ID 16027 | Audits and risk management | Establish/Maintain Documentation | |
| Include the differences between the list of entities in financial reporting and in sustainability reporting in the disclosure report. CC ID 15874 | Audits and risk management | Establish/Maintain Documentation | |
| Include the governance structure in the disclosure report. CC ID 15840 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the governance structure of the audit firm; Article 40 1.(c)] | Audits and risk management | Establish/Maintain Documentation | |
| Include stakeholder representation in the disclosure report. CC ID 15847 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of the composition of governance bodies and committees in the disclosure report. CC ID 15843 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of significant fluctuations in the total number of contractors and outsource partners in the disclosure report. CC ID 15839 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of contractual relationships in the disclosure report. CC ID 15838 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: where the audit firm belongs to a network, a description of the network and the legal and structural arrangements in the network; Article 40 1.(b) Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a list of public-interest entities for which the audit firm has carried out statutory audits during the preceding financial year; Article 40 1.(f)] | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of significant fluctuations in the total number of employees in the disclosure report. CC ID 15836 | Audits and risk management | Establish/Maintain Documentation | |
| Include research findings based on previous and current research methodologies in the disclosure report. CC ID 15630 | Audits and risk management | Establish/Maintain Documentation | |
| Include the methodology used to report numbers in the disclosure report. CC ID 15841 | Audits and risk management | Establish/Maintain Documentation | |
| Include definitions of terms in the disclosure report. CC ID 15832 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of third party relationships in the disclosure report. CC ID 15830 | Audits and risk management | Establish/Maintain Documentation | |
| Include the type of work performed by contractors and outsource partners in the disclosure report. CC ID 15842 | Audits and risk management | Establish/Maintain Documentation | |
| Include any changes made to information in restatements in the disclosure report. CC ID 15829 | Audits and risk management | Establish/Maintain Documentation | |
| Include the criteria for determining when to use restatements in the disclosure report. CC ID 15828 | Audits and risk management | Establish/Maintain Documentation | |
| Include points of contact in the disclosure report. CC ID 15826 | Audits and risk management | Establish/Maintain Documentation | |
| Include the reason that reporting periods for different reports do not align in the disclosure report. CC ID 15825 | Audits and risk management | Establish/Maintain Documentation | |
| Include a description of how information is consolidated in the disclosure report. CC ID 15824 | Audits and risk management | Establish/Maintain Documentation | |
| Include the legal form of organization in the disclosure report. CC ID 15823 | Audits and risk management | Establish/Maintain Documentation | |
| Include the ownership structure in the disclosure report. CC ID 15822 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: a description of the legal structure and ownership; Article 40 1.(a)] | Audits and risk management | Establish/Maintain Documentation | |
| Include the shareholding structure in the disclosure report. CC ID 16093 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to collect and monitor in scope information in the disclosure report. CC ID 15779 | Audits and risk management | Establish/Maintain Documentation | |
| Refrain from including out of scope information in the disclosure report. CC ID 15793 | Audits and risk management | Establish/Maintain Documentation | |
| Include the processes used to assess third party compliance in the disclosure report. CC ID 15773 | Audits and risk management | Establish/Maintain Documentation | |
| Include the calculation methodology in the disclosure report. CC ID 15733 | Audits and risk management | Establish/Maintain Documentation | |
| Include the rationale for choosing the calculation methodology in the disclosure report. CC ID 15734 | Audits and risk management | Establish/Maintain Documentation | |
| Include the effects of changes to calculation methodologies in the disclosure report. CC ID 16344 | Audits and risk management | Establish/Maintain Documentation | |
| Include the source of conversion factors in the disclosure report. CC ID 15747 | Audits and risk management | Establish/Maintain Documentation | |
| Include known limitations in the disclosure report. CC ID 15669 | Audits and risk management | Establish/Maintain Documentation | |
| Include the lessons learned in the disclosure report. CC ID 15689 | Audits and risk management | Establish/Maintain Documentation | |
| Include how lessons learned are incorporated into policies and procedures in the disclosure report. CC ID 15690 | Audits and risk management | Establish/Maintain Documentation | |
| Include whether training requirements apply to third parties in the disclosure report. CC ID 15727 | Audits and risk management | Establish/Maintain Documentation | |
| Include a link to the content index in the disclosure report. CC ID 15666 | Audits and risk management | Establish/Maintain Documentation | |
| Include stakeholder engagement activities in the disclosure report. CC ID 15691 | Audits and risk management | Establish/Maintain Documentation | |
| Include supplemental disclosures in the disclosure report. CC ID 15629 | Audits and risk management | Establish/Maintain Documentation | |
| Sign the disclosure report. CC ID 17286 [The transparency report shall be signed by the statutory auditor or audit firm, as the case may be. This can be done, for example, by means of an electronic signature as defined in Article 2(1) of Directive 1999/93/EC. Article 40 2.] | Audits and risk management | Business Processes | |
| Disseminate and communicate the disclosure report to interested personnel and affected parties. CC ID 15667 [Member States shall ensure that statutory auditors and audit firms that carry out statutory audit(s) of public-interest entities publish on their websites, within three months of the end of each financial year, annual transparency reports that include at least the following: Article 40 1.] | Audits and risk management | Communicate | |
| Enforce information flow control. CC ID 11781 | Technical security | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain information flow control policies inside the system and between interconnected systems. CC ID 01410 | Technical security | Establish/Maintain Documentation | |
| Establish, implement, and maintain information exchange procedures. CC ID 11782 [Paragraph 2 shall not prevent competent authorities from exchanging confidential information. Information thus exchanged shall be covered by the obligation of professional secrecy, to which persons employed or formerly employed by competent authorities are subject. Article 36 3.] | Technical security | Establish/Maintain Documentation | |
| Include the connected Information Technology assets in the information exchange procedures. CC ID 17025 | Technical security | Establish/Maintain Documentation | |
| Include connection termination procedures in the information exchange procedures. CC ID 17027 | Technical security | Establish/Maintain Documentation | |
| Include the data sensitivity levels in the information exchange procedures. CC ID 17024 [Paragraph 2 shall not prevent competent authorities from exchanging confidential information. Information thus exchanged shall be covered by the obligation of professional secrecy, to which persons employed or formerly employed by competent authorities are subject. Article 36 3.] | Technical security | Establish/Maintain Documentation | |
| Include communication requirements in the information exchange procedures. CC ID 17026 | Technical security | Establish/Maintain Documentation | |
| Include roles and responsibilities in the information exchange procedures. CC ID 17023 | Technical security | Establish/Maintain Documentation | |
| Include contact information in the information exchange procedures. CC ID 17307 | Technical security | Establish/Maintain Documentation | |
| Include implementation procedures in the information exchange procedures. CC ID 17022 | Technical security | Establish/Maintain Documentation | |
| Include security controls in the information exchange procedures. CC ID 17021 | Technical security | Establish/Maintain Documentation | |
| Include testing procedures in the information exchange procedures. CC ID 17020 | Technical security | Establish/Maintain Documentation | |
| Include measurement criteria in the information exchange procedures. CC ID 17019 | Technical security | Establish/Maintain Documentation | |
| Include training requirements in the information exchange procedures. CC ID 17017 | Technical security | Establish/Maintain Documentation | |
| Test the information exchange procedures. CC ID 17115 | Technical security | Testing | |
| Perform content sanitization on data-in-transit. CC ID 16512 | Technical security | Data and Information Management | |
| Perform content conversion on data-in-transit. CC ID 16510 | Technical security | Data and Information Management | |
| Protect data from unauthorized access while transmitting between separate parts of the system. CC ID 16499 | Technical security | Data and Information Management | |
| Log issuers who send personal data in cleartext in the transfer audit log. CC ID 12312 | Technical security | Log Management | |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
| Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Human Resources Management | |
| Define and assign audit committees, as necessary. CC ID 14788 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1 Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources management | Human Resources Management | |
| Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 [Each public-interest entity shall have an audit committee. The Member State shall determine whether audit committees are to be composed of non-executive members of the administrative body and/or members of the supervisory body of the audited entity and/or members appointed by the general meeting of shareholders of the audited entity. At least one member of the audit committee shall be independent and shall have competence in accounting and/or auditing. Article 41 1. ¶ 1] | Human Resources management | Human Resources Management | |
| Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
| Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
| Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
| Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
| Disseminate and communicate personnel screening procedures to interested personnel and affected parties. CC ID 16977 | Human Resources management | Communicate | |
| Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 [The statutory auditor or the key audit partner who carries out a statutory audit on behalf of an audit firm shall not be allowed to take up a key management position in the audited entity before a period of at least two years has elapsed since he or she resigned as a statutory auditor or key audit partner from the audit engagement. Article 42 3.] | Human Resources management | Communicate | |
| Train all personnel and third parties, as necessary. CC ID 00785 [In order to ensure the ability to apply theoretical knowledge in practice, a test of which is included in the examination, a trainee shall complete a minimum of three years' practical training in, inter alia, the auditing of annual accounts, consolidated accounts or similar financial statements. At least two thirds of such practical training shall be completed with a statutory auditor or audit firm approved in any Member State. Article 10 1.] | Human Resources management | Behavior | |
| Provide new hires limited network access to complete computer-based training. CC ID 17008 | Human Resources management | Training | |
| Establish, implement, and maintain an education methodology. CC ID 06671 [{investigation process} {disciplinary process} The system of public oversight shall have the ultimate responsibility for the oversight of: continuing education, quality assurance and investigative and disciplinary systems. Article 32 4.(c)] | Human Resources management | Business Processes | |
| Support certification programs as viable training programs. CC ID 13268 [Member States may provide that periods of theoretical instruction in the fields referred to in Article 8 shall count towards the periods of professional activity referred to in Article 11, provided that such instruction is attested by an examination recognised by the State. Such instruction shall not last less than one year, nor may it reduce the period of professional activity by more than four years. Article 12 1.] | Human Resources management | Human Resources Management | |
| Include evidence of experience in applications for professional certification. CC ID 16193 | Human Resources management | Establish/Maintain Documentation | |
| Include supporting documentation in applications for professional certification. CC ID 16195 | Human Resources management | Establish/Maintain Documentation | |
| Submit applications for professional certification. CC ID 16192 | Human Resources management | Training | |
| Retrain all personnel, as necessary. CC ID 01362 [Member States shall ensure that statutory auditors are required to take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values at a sufficiently high level, and that failure to respect the continuing education requirements is subject to appropriate penalties as referred to in Article 30. Article 13 ¶ 1] | Human Resources management | Behavior | |
| Hire third parties to conduct training, as necessary. CC ID 13167 | Human Resources management | Human Resources Management | |
| Approve training plans, as necessary. CC ID 17193 | Human Resources management | Training | |
| Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 | Human Resources management | Training | |
| Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 | Human Resources management | Training | |
| Establish, implement, and maintain a list of tasks to include in the training plan. CC ID 17101 | Human Resources management | Training | |
| Designate training facilities in the training plan. CC ID 16200 | Human Resources management | Training | |
| Include portions of the visitor control program in the training plan. CC ID 13287 | Human Resources management | Establish/Maintain Documentation | |
| Include insider threats in the security awareness program. CC ID 16963 | Human Resources management | Training | |
| Conduct personal data processing training. CC ID 13757 | Human Resources management | Training | |
| Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 | Human Resources management | Training | |
| Complete security awareness training prior to being granted access to information systems or data. CC ID 17009 | Human Resources management | Training | |
| Establish, implement, and maintain a security awareness and training policy. CC ID 14022 | Human Resources management | Establish/Maintain Documentation | |
| Include compliance requirements in the security awareness and training policy. CC ID 14092 | Human Resources management | Establish/Maintain Documentation | |
| Include coordination amongst entities in the security awareness and training policy. CC ID 14091 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain security awareness and training procedures. CC ID 14054 | Human Resources management | Establish/Maintain Documentation | |
| Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 | Human Resources management | Communicate | |
| Include management commitment in the security awareness and training policy. CC ID 14049 | Human Resources management | Establish/Maintain Documentation | |
| Include roles and responsibilities in the security awareness and training policy. CC ID 14048 | Human Resources management | Establish/Maintain Documentation | |
| Include the scope in the security awareness and training policy. CC ID 14047 | Human Resources management | Establish/Maintain Documentation | |
| Include the purpose in the security awareness and training policy. CC ID 14045 | Human Resources management | Establish/Maintain Documentation | |
| Include configuration management procedures in the security awareness program. CC ID 13967 | Human Resources management | Establish/Maintain Documentation | |
| Include media protection in the security awareness program. CC ID 16368 | Human Resources management | Training | |
| Document security awareness requirements. CC ID 12146 | Human Resources management | Establish/Maintain Documentation | |
| Include identity and access management in the security awareness program. CC ID 17013 | Human Resources management | Training | |
| Include the encryption process in the security awareness program. CC ID 17014 | Human Resources management | Training | |
| Include physical security in the security awareness program. CC ID 16369 | Human Resources management | Training | |
| Include data management in the security awareness program. CC ID 17010 | Human Resources management | Training | |
| Include e-mail and electronic messaging in the security awareness program. CC ID 17012 | Human Resources management | Training | |
| Include updates on emerging issues in the security awareness program. CC ID 13184 | Human Resources management | Training | |
| Include cybersecurity in the security awareness program. CC ID 13183 | Human Resources management | Training | |
| Include implications of non-compliance in the security awareness program. CC ID 16425 | Human Resources management | Training | |
| Include social networking in the security awareness program. CC ID 17011 | Human Resources management | Training | |
| Include the acceptable use policy in the security awareness program. CC ID 15487 | Human Resources management | Training | |
| Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 | Human Resources management | Establish/Maintain Documentation | |
| Include remote access in the security awareness program. CC ID 13892 | Human Resources management | Establish/Maintain Documentation | |
| Document the goals of the security awareness program. CC ID 12145 | Human Resources management | Establish/Maintain Documentation | |
| Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 | Human Resources management | Establish/Maintain Documentation | |
| Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 | Human Resources management | Human Resources Management | |
| Document the scope of the security awareness program. CC ID 12148 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a security awareness baseline. CC ID 12147 | Human Resources management | Establish/Maintain Documentation | |
| Encourage interested personnel to obtain security certification. CC ID 11804 | Human Resources management | Human Resources Management | |
| Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 | Human Resources management | Training | |
| Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a conflict of interest policy. CC ID 14785 [{do not exist} Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; Article 29 1.(e) The competent authorities shall be organised in such a manner that conflicts of interests are avoided. Article 35 2.] | Human Resources management | Establish/Maintain Documentation | |
| Include definitions of conflicts of interest in the conflict of interest policy. CC ID 14792 | Human Resources management | Establish/Maintain Documentation | |
| Include continuous monitoring for conflicts of interest in the conflict of interest policy. CC ID 17190 | Human Resources management | Monitor and Evaluate Occurrences | |
| Submit a conflict of interest declaration to interested personnel and affected parties. CC ID 16194 [In addition to the provisions laid down in Articles 22 and 24, Member States shall ensure that statutory auditors or audit firms that carry out the statutory audit of a public-interest entity: confirm annually in writing to the audit committee their independence from the audited public-interest entity; Article 42 1.(a)] | Human Resources management | Communicate | |
| Include roles and responsibilities in the conflict of interest policy. CC ID 14790 | Human Resources management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an ethics program. CC ID 11496 [Member States shall ensure that all statutory auditors and audit firms are subject to principles of professional ethics, covering at least their public-interest function, their integrity and objectivity and their professional competence and due care. Article 21 1. The system of public oversight shall have the ultimate responsibility for the oversight of: the adoption of standards on professional ethics, internal quality control of audit firms and auditing, and Article 32 4.(b)] | Human Resources management | Human Resources Management | |
| Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 | Human Resources management | Communicate | |
| Establish, implement, and maintain ethical decision-making guidelines. CC ID 12908 | Human Resources management | Behavior | |
| Establish, implement, and maintain investigation procedures addressing ethics complaints. CC ID 12900 | Human Resources management | Investigate | |
| Establish, implement, and maintain an ethical culture. CC ID 12781 | Human Resources management | Behavior | |
| Analyze the organizational climate regarding support for expectation of responsible behavior and integrity. CC ID 12873 | Human Resources management | Monitor and Evaluate Occurrences | |
| Analyze the organizational climate regarding the expectation of responsible behavior and integrity. CC ID 12872 | Human Resources management | Monitor and Evaluate Occurrences | |
| Refrain from practicing false advertising. CC ID 14253 | Human Resources management | Business Processes | |
| Establish mechanisms for whistleblowers to report compliance violations. CC ID 06806 | Human Resources management | Business Processes | |
| Establish mechanisms to maintain the anonymity of whistleblowers. CC ID 12859 | Human Resources management | Communicate | |
| Establish, implement, and maintain a training program to report compliance violations. CC ID 11835 | Human Resources management | Establish/Maintain Documentation | |
| Refrain from discriminating against employees who refuse or intends to refuse to do something that contravenes requirements. CC ID 13608 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who are whistleblowers. CC ID 13609 | Human Resources management | Behavior | |
| Refrain from discriminating against employees who disclose that their employer or another person has or intends to contravene requirements. CC ID 13607 | Human Resources management | Behavior | |
| Apply legal remedies to any person knowingly partaking in illegal actions. CC ID 11515 | Human Resources management | Human Resources Management | |
| Include prohibiting counterfeiting in the ethics program. CC ID 11517 | Human Resources management | Human Resources Management | |
| Refrain from assigning roles and responsibilities that breach segregation of duties. CC ID 12055 | Human Resources management | Human Resources Management | |
| Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs. CC ID 12061 | Human Resources management | Establish Roles | |
| Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer. CC ID 12060 | Human Resources management | Behavior | |
| Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer. CC ID 12059 | Human Resources management | Behavior | |
| Prohibit roles from performing activities that they are assigned the responsibility for approving. CC ID 12052 | Human Resources management | Behavior | |
| Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain an information security program. CC ID 00812 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain operational control procedures. CC ID 00831 | Operational management | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
| Include information sharing procedures in standard operating procedures. CC ID 12974 | Operational management | Records Management | |
| Provide support for information sharing activities. CC ID 15644 [The competent authorities of Member States responsible for approval, registration, quality assurance, inspection and discipline shall cooperate with each other whenever necessary for the purpose of carrying out their respective responsibilities under this Directive. The competent authorities in a Member State responsible for approval, registration, quality assurance, inspection and discipline shall render assistance to competent authorities in other Member States. In particular, competent authorities shall exchange information and cooperate in investigations related to the carrying-out of statutory audits. Article 36 1.] | Operational management | Process or Activity | |
| Establish, implement, and maintain a registration database. CC ID 15048 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2. Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1 Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Operational management | Data and Information Management | |
| Implement access restrictions for information in the registration database. CC ID 17235 | Operational management | Data and Information Management | |
| Include registration numbers in the registration database. CC ID 17272 [As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a)] | Operational management | Data and Information Management | |
| Include electronic signatures in the registration database. CC ID 17281 [{public register} The information provided to the relevant competent authorities in accordance with Articles 16, 17 and 18 shall be signed by the statutory auditor or audit firm. Where the competent authority provides for the information to be made available electronically, that can, for example, be done by means of an electronic signature as defined in point 1 of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (19). Article 19 ¶ 1] | Operational management | Data and Information Management | |
| Include other registrations in the registration database. CC ID 17274 [As regards audit firms, the public register shall contain at least the following information: all other registration(s) as audit firm with the competent authorities of other Member States and as audit entity with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 17 1.(i)] | Operational management | Data and Information Management | |
| Include the owners and shareholders in the registration database. CC ID 17273 [As regards audit firms, the public register shall contain at least the following information: names and business addresses of all owners and shareholders; Article 17 1.(f)] | Operational management | Data and Information Management | |
| Include contact details in the registration database. CC ID 15109 [The public register shall also contain the name and address of the competent authorities responsible for approval as referred to in Article 3, for quality assurance as referred to in Article 29, for investigations and penalties on statutory auditors and audit firms as referred to in Article 30, and for public oversight as referred to in Article 32. Article 15 3. As regards statutory auditors, the public register shall contain at least the following information: name, address and registration number; Article 16 1.(a) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards statutory auditors, the public register shall contain at least the following information: if applicable, the name, address, website address and registration number of the audit firm(s) by which the statutory auditor is employed, or with whom he or she is associated as a partner or otherwise; Article 16 1.(b) As regards audit firms, the public register shall contain at least the following information: name, address and registration number; Article 17 1.(a) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: contact information, the primary contact person and, where applicable, the website address; Article 17 1.(c) As regards audit firms, the public register shall contain at least the following information: address of each office in the Member State; Article 17 1.(d) As regards audit firms, the public register shall contain at least the following information: names and business addresses of all members of the administrative or management body; Article 17 1.(g) As regards audit firms, the public register shall contain at least the following information: if applicable, the membership of a network and a list of the names and addresses of member firms and affiliates or an indication of the place where such information is publicly available; Article 17 1.(h)] | Operational management | Establish/Maintain Documentation | |
| Include personal data in the registration database, as necessary. CC ID 15108 | Operational management | Establish/Maintain Documentation | |
| Publish the registration information in the registration database in an official language. CC ID 17280 [The information entered in the public register shall be drawn up in one of the languages permitted by the language rules applicable in the Member State concerned. Article 20 1. Member States may additionally allow the information to be entered in the public register in any other official language(s) of the Community. Member States may require the translation of the information to be certified. Article 20 2. ¶ 1] | Operational management | Data and Information Management | |
| Make the registration database available to the public. CC ID 15107 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Operational management | Communicate | |
| Maintain non-public information in a protected area in the registration database. CC ID 17237 | Operational management | Data and Information Management | |
| Impose conditions or restrictions on the termination or suspension of a registration. CC ID 16796 | Operational management | Business Processes | |
| Publish the IP addresses being used by each external customer in the registration database. CC ID 16403 | Operational management | Data and Information Management | |
| Update registration information upon changes. CC ID 17275 [Member States shall ensure that statutory auditors and audit firms notify the competent authorities in charge of the public register without undue delay of any change of information contained in the public register. The register shall be updated without undue delay after notification. Article 18 ¶ 1] | Operational management | Data and Information Management | |
| Maintain the accuracy of registry information published in registration databases. CC ID 16402 | Operational management | Data and Information Management | |
| Maintain ease of use for information in the registration database. CC ID 17239 [{unique identifier} Member States shall ensure that each statutory auditor and audit firm is identified in the public register by an individual number. Registration information shall be stored in the register in electronic form and shall be electronically accessible to the public. Article 15 2.] | Operational management | Data and Information Management | |
| Include all required information in the registration database. CC ID 15106 [As regards statutory auditors, the public register shall contain at least the following information: all other registration(s) as statutory auditor with the competent authorities of other Member States and as auditor with third countries, including the name(s) of the registration authority(ies), and, if applicable, the registration number(s). Article 16 1.(c) As regards audit firms, the public register shall contain at least the following information: name and registration number of all statutory auditors employed by or associated as partners or otherwise with the audit firm; Article 17 1.(e) {not be indicated} {public register} Third-country audit entities registered in accordance with Article 45 shall be clearly indicated in the register as such and not as audit firms. Article 17 2. {public register} {do not indicate} Third-country auditors registered in accordance with Article 45 shall be clearly indicated in the register as such and not as statutory auditors. Article 16 2. As regards audit firms, the public register shall contain at least the following information: legal form; Article 17 1.(b) {third-country audit entity} The competent authorities of a Member State shall, in accordance with Articles 15 to 17, register every third-country auditor and audit entity that provides an audit report concerning the annual or consolidated accounts of a company incorporated outwith the Community whose transferable securities are admitted to trading on a regulated market of that Member State within the meaning of point 14 of Article 4(1) of Directive 2004/39/EC, except when the company is an issuer exclusively of debt securities admitted to trading on a regulated market in a Member State within the meaning of Article 2(1)(b) of Directive 2004/109/EC, the denomination per unit of which is at least EUR 50 000 or, in case of debt securities denominated in another currency, equivalent, at the date of issue, to at least EUR 50 000. Article 45 1.] | Operational management | Data and Information Management | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Notify the supervisory authority. CC ID 00472 [Where a competent authority concludes that activities contrary to the provisions of this Directive are being or have been carried out on the territory of another Member State, it shall notify the competent authority of the other Member State of that conclusion in as specific a manner as possible. The competent authority of the other Member State shall take appropriate action. It shall inform the notifying competent authority of the outcome and, to the extent possible, of significant interim developments. Article 36 5. Member States shall communicate to the Commission the working arrangements referred to in paragraphs 1 and 4. Article 47 6.] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 [The competent authorities of the Member States shall establish procedures for the approval of statutory auditors who have been approved in other Member States. Those procedures shall not go beyond a requirement to pass an aptitude test in accordance with Article 4 of Council Directive 89/48/EEC of 21 December 1988 on a general system for the recognition of higher-education diplomas awarded on completion of professional education and training of at least three years' duration (18). The aptitude test, which shall be conducted in one of the languages permitted by the language rules applicable in the Member State concerned, shall cover only the statutory auditor's adequate knowledge of the laws and regulations of that Member State in so far as relevant to statutory audits. Article 14 ¶ 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1] | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain a personal data use limitation program. CC ID 13428 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data access procedures. CC ID 00414 [The working arrangements referred to in paragraph 1(d) shall ensure that: justification as to the purpose of the request for audit working papers and other documents is provided by the competent authorities; Article 47 2.(a)] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow data subjects to submit data requests. CC ID 16545 | Privacy protection for information and data | Process or Activity | |
| Provide individuals with information about where their personal data was processed. CC ID 00415 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about the processing purpose of their personal data. CC ID 00416 | Privacy protection for information and data | Data and Information Management | |
| Provide individuals with information about disclosure of their personal data. CC ID 00417 | Privacy protection for information and data | Data and Information Management | |
| Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418 | Privacy protection for information and data | Data and Information Management | |
| Provide assistance to requesters in preparing data access requests. CC ID 13588 | Privacy protection for information and data | Data and Information Management | |
| Require data access requests to be in writing, unless the requester is unable. CC ID 00420 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define what is to be included in a data access request. CC ID 08699 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394 | Privacy protection for information and data | Business Processes | |
| Respond to data access requests in a timely manner. CC ID 00421 | Privacy protection for information and data | Behavior | |
| Respond to data access requests in an official language. CC ID 17176 | Privacy protection for information and data | Communicate | |
| Delay responding to data access requests, as necessary. CC ID 15504 | Privacy protection for information and data | Data and Information Management | |
| Expedite the processing of data access requests, as necessary. CC ID 15496 | Privacy protection for information and data | Data and Information Management | |
| Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502 | Privacy protection for information and data | Business Processes | |
| Define what is included in a request for a waiver or reduction of fees. CC ID 15522 | Privacy protection for information and data | Process or Activity | |
| Deliver the records described in the personal data access request, as necessary. CC ID 08701 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503 | Privacy protection for information and data | Data and Information Management | |
| Document the outcome of the personal data access request review procedure. CC ID 00455 | Privacy protection for information and data | Data and Information Management | |
| Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Submit personal data removal requests in writing. CC ID 11973 | Privacy protection for information and data | Records Management | |
| Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Notify third parties of data access requests that relates to the third party. CC ID 08703 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Allow affected third parties to consent or object to a data access request. CC ID 08704 | Privacy protection for information and data | Process or Activity | |
| Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Process restricted data lawfully and carefully. CC ID 00086 [Without prejudice to the obligations to which they are subject in judicial proceedings, competent authorities which receive information pursuant to paragraph 1 may use it only for the exercise of their functions within the scope of this Directive and in the context of administrative or judicial proceedings specifically related to the exercise of those functions. Article 36 4. ¶ 4] | Privacy protection for information and data | Establish Roles | |
| Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646 | Privacy protection for information and data | Technical Security | |
| Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200 | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966 | Privacy protection for information and data | Records Management | |
| Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212 | Privacy protection for information and data | Data and Information Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970 | Privacy protection for information and data | Records Management | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969 | Privacy protection for information and data | Process or Activity | |
| Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976 | Privacy protection for information and data | Records Management | |
| Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250 | Privacy protection for information and data | Data and Information Management | |
| Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for fundraising. CC ID 06256 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248 | Privacy protection for information and data | Data and Information Management | |
| Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819 | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17250 | Privacy protection for information and data | Business Processes | |
| Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define and implement valid authorization control requirements. CC ID 06258 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217 | Privacy protection for information and data | Data and Information Management | |
| Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218 | Privacy protection for information and data | Data and Information Management | |
| Cease the use or disclosure of Individually Identifiable Health Information under predetermined conditions. CC ID 17251 | Privacy protection for information and data | Business Processes | |
| Refrain from using Individually Identifiable Health Information related to reproductive health care, as necessary. CC ID 17256 | Privacy protection for information and data | Business Processes | |
| Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219 | Privacy protection for information and data | Data and Information Management | |
| Process personal data after the data subject has granted explicit consent. CC ID 00180 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182 | Privacy protection for information and data | Data and Information Management | |
| Process personal data relating to criminal offenses when required by law. CC ID 00237 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for statistical purposes or scientific purposes. CC ID 00256 | Privacy protection for information and data | Data and Information Management | |
| Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185 | Privacy protection for information and data | Data and Information Management | |
| Process traffic data in a controlled manner. CC ID 00130 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is publicly accessible. CC ID 00187 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for direct marketing and other personalized mail programs. CC ID 00188 | Privacy protection for information and data | Data and Information Management | |
| Refrain from processing personal data for marketing or advertising to children. CC ID 14010 | Privacy protection for information and data | Business Processes | |
| Process personal data for the purposes of employment. CC ID 16527 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for debt collection or benefit payments. CC ID 00190 | Privacy protection for information and data | Data and Information Management | |
| Process personal data in order to advance the public interest. CC ID 00191 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for surveys, archives, or scientific research. CC ID 00192 | Privacy protection for information and data | Data and Information Management | |
| Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193 | Privacy protection for information and data | Data and Information Management | |
| Process personal data for academic purposes or religious purposes. CC ID 00194 | Privacy protection for information and data | Data and Information Management | |
| Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195 | Privacy protection for information and data | Data and Information Management | |
| Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196 | Privacy protection for information and data | Data and Information Management | |
| Follow legal obligations while processing personal data. CC ID 04794 | Privacy protection for information and data | Data and Information Management | |
| Start personal data processing only after the needed notifications are submitted. CC ID 04791 | Privacy protection for information and data | Data and Information Management | |
| Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Privacy protection for information and data | Records Management | |
| Establish, implement, and maintain data disclosure procedures. CC ID 00133 [Each Member State shall ensure that statutory auditors and audit firms are entered in a public register in accordance with Articles 16 and 17. In exceptional circumstances, Member States may disapply the requirements laid down in this Article and Article 16 regarding disclosure only to the extent necessary to mitigate an imminent and significant threat to the personal security of any person. Article 15 1.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Disseminate and communicate the disclosure requirements to interested personnel and affected parties. CC ID 16901 | Privacy protection for information and data | Communicate | |
| Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298 | Privacy protection for information and data | Data and Information Management | |
| Review personal data disclosure requests. CC ID 07129 | Privacy protection for information and data | Data and Information Management | |
| Notify the data subject of the disclosure purpose. CC ID 15268 | Privacy protection for information and data | Communicate | |
| Establish, implement, and maintain data request denial procedures. CC ID 00434 [The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State. Article 47 2.(d) Bullet 2 The working arrangements referred to in paragraph 1(d) shall ensure that: the request from a competent authority of a third country for audit working papers or other documents held by a statutory auditor or audit firm can be refused: where the provision of those working papers or documents would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or Article 47 2.(d) Bullet 1] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435 | Privacy protection for information and data | Data and Information Management | |
| Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436 | Privacy protection for information and data | Data and Information Management | |
| Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439 | Privacy protection for information and data | Data and Information Management | |
| Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441 [The competent authorities may refuse to act on a request for information where: supplying information might adversely affect the sovereignty, security or public order of the requested Member State or breach national security rules; or Article 36 4. ¶ 3 (a)] | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702 | Privacy protection for information and data | Process or Activity | |
| Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600 [The competent authorities may refuse to act on a request for information where: final judgment has already been passed in respect of the same actions and on the same statutory auditors or audit firms by the competent authorities of the requested Member State. Article 36 4. ¶ 3 (c)] | Privacy protection for information and data | Data and Information Management | |
| Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444 [The competent authorities may refuse to act on a request for information where: judicial proceedings have already been initiated in respect of the same actions and against the same statutory auditors or audit firms before the authorities of the requested Member State; or Article 36 4. ¶ 3 (b)] | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445 | Privacy protection for information and data | Data and Information Management | |
| Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450 | Privacy protection for information and data | Data and Information Management | |
| Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873 | Privacy protection for information and data | Data and Information Management | |
| Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874 | Privacy protection for information and data | Data and Information Management | |
| Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875 | Privacy protection for information and data | Data and Information Management | |
| Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 | Privacy protection for information and data | Data and Information Management | |
| Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509 | Privacy protection for information and data | Communicate | |
| Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454 | Privacy protection for information and data | Data and Information Management | |
| Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700 | Privacy protection for information and data | Process or Activity | |
| Disseminate and communicate personal data to the individual that it relates to. CC ID 00428 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876 | Privacy protection for information and data | Data and Information Management | |
| Notify that data subject of any exclusions to requested personal data. CC ID 15271 | Privacy protection for information and data | Communicate | |
| Provide data or records in a reasonable time frame. CC ID 00429 | Privacy protection for information and data | Data and Information Management | |
| Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599 | Privacy protection for information and data | Communicate | |
| Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590 | Privacy protection for information and data | Data and Information Management | |
| Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589 | Privacy protection for information and data | Data and Information Management | |
| Provide data at a cost that is not excessive. CC ID 00430 | Privacy protection for information and data | Data and Information Management | |
| Provide records or data in a reasonable manner. CC ID 00431 | Privacy protection for information and data | Data and Information Management | |
| Provide personal data in a form that is intelligible. CC ID 00432 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604 | Privacy protection for information and data | Data and Information Management | |
| Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602 | Privacy protection for information and data | Data and Information Management | |
| Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601 | Privacy protection for information and data | Data and Information Management | |
| Document that a data search was conducted in case the requested data cannot be found. CC ID 06953 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a data handling program. CC ID 13427 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [The obligation of professional secrecy shall apply to all persons who are employed or who have been employed by competent authorities. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the laws, regulations or administrative procedures of a Member State. Article 36 2.] | Privacy protection for information and data | Establish/Maintain Documentation | |
| Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
| Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
| Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 [Member States shall ensure that all information and documents to which a statutory auditor or audit firm has access when carrying out a statutory audit are protected by adequate rules on confidentiality and professional secrecy. Article 23 1. Competent authorities shall, on request, and without undue delay, supply any information required for the purpose referred to in paragraph 1. Where necessary, the competent authorities receiving any such request shall, without undue delay, take the necessary measures to gather the required information. Information thus supplied shall be covered by the obligation of professional secrecy to which the persons employed or formerly employed by the competent authorities that received the information are subject. Article 36 4. ¶ 1 The working arrangements referred to in paragraph 1(d) shall ensure that: the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; Article 47 2.(b)] | Privacy protection for information and data | Data and Information Management | |
| Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
| Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
| Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
| Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
| Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
| Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
| Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
| Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
| Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
| Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
| Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
| Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
| Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
| Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
| Develop remedies and sanctions for privacy policy violations. CC ID 00474 | Privacy protection for information and data | Data and Information Management | |
| Notify the public and other agencies after a penalty becomes final. CC ID 06217 [Member States shall provide that measures taken and penalties imposed on statutory auditors and audit firms are appropriately disclosed to the public. Penalties shall include the possibility of the withdrawal of approval. Article 30 3.] | Privacy protection for information and data | Behavior | |
| Structure the language of compliance documents. CC ID 06098 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Standardize word usage. CC ID 06104 | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |
| Write policies and instructions using clear and conspicuous language. CC ID 16286 [Member States shall require statutory auditors and audit firms to carry out statutory audits in compliance with international auditing standards adopted by the Commission in accordance with the procedure referred to in Article 48(2). Member States may apply a national auditing standard as long as the Commission has not adopted an international auditing standard covering the same subject-matter. Adopted international auditing standards shall be published in full in each of the official languages of the Community in the Official Journal of the European Union. Article 26 1.] | Harmonization Methods and Manual of Style | Establish/Maintain Documentation | |