Auditing monitoring and evaluation
What is a risk assessment & auditing & monitoring?
A meaningful risk assessment informs a company’s understanding of third-party risk, but auditing and monitoring facilitate the processes that keep that risk assessment current along with periodic due diligence updates, exercise of audit rights, training and tracking of annual certifications
What is monitoring & evaluation?
Monitoring and evaluation usually include information on the cost of the programme being monitored or evaluated
This allows judging the benefits of a programme against its costs and identifying which intervention has the highest rate of return
Two tools are commonly used
Why are audit and monitoring activities important?
Audit and monitoring activities are key to both informing a company’s risk assessment and executing control activities to monitor the identified risks appropriately
Risk assessments form the basis of where and how a company allocates resources within audit and monitoring plans at the organisational, regional and local level
Before explaining the difference between monitoring and evaluation, let us first understand what monitoring and e…
Group of reports produced in an audit
System and Organization Controls (SOC), as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit.
It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services.
The reports focus on controls grouped into five categories called Trust Service Criteria.
The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017.
These control criteria are to be used by the practitioner/examiner in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service.
The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis.
The Trust Services Criteria were modeled in conformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework.
In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles.
The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18, section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting, defines two levels of reporting, type 1 and type 2.
Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.
Group of reports produced in an audit
System and Organization Controls (SOC), as defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit.
It is intended for use by service organizations to issue validated reports of internal controls over those information systems to the users of those services.
The reports focus on controls grouped into five categories called Trust Service Criteria.
The Trust Services Criteria were established by The AICPA through its Assurance Services Executive Committee (ASEC) in 2017.
These control criteria are to be used by the practitioner/examiner in attestation or consulting engagements to evaluate and report on controls of information systems offered as a service.
The engagements can be done on an entity wide, subsidiary, division, operating unit, product line or functional area basis.
The Trust Services Criteria were modeled in conformity to The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework.
In addition, the Trust Services Criteria can be mapped to NIST SP 800 - 53 criteria and to EU General Data Protection Regulation (GDPR) Articles.
The AICPA auditing standard Statement on Standards for Attestation Engagements no. 18, section 320, Reporting on an Examination of Controls at a Service Organization Relevant to User Entities' Internal Control Over Financial Reporting, defines two levels of reporting, type 1 and type 2.
Additional AICPA guidance materials specify three types of reporting: SOC 1, SOC 2, and SOC 3.
