Auditing IT Controls Part I: Sarbanes-Oxley and IT Governance

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 64

Chapter 15

Auditing IT Controls Part I:


Sarbanes-Oxley and IT
Governance
What is Auditing…?

Systematic
Process

Objectively
obtaining and
Evaluating To ascertain
Evidence the degree of
correspondence

regarding
Assertions
- Structured
- Logical process
- Organized series of steps

Consists three conceptual phases:


Systematic 1. AUDIT PLANNING
Process 2. TESTS OF CONTROL
3. SUBSTANTIVE TESTING

Audit Tests of Substantive


planning Controls Testing

Assess Detailed
investigation
UNDERSTAND quality
of specific
your client’s of account
business Internal balances and
control transactions
An auditor must:
 Be INDEPENDENT and COMPETENT
 Follow 10 Generally Accepted Auditing Standards (GAAS)

How to obtain
Evidence?
 By conducting AUDIT
PROCEDURES,
Objectively auditors will be able
to gather evidence
obtaining and
that will corroborate
Evaluating or refute
Evidence management’s
assertions.

Evaluate Evidence:
 Is it Sufficient?
 Is it Appropriate?
MANAGEMENT ASSERTIONS
 Are claims made by management regarding the
content of their issued financial statements
 1. Assertions about classes of transactions and
events for the period under audit
 2. Assertions about account balances at the end
of the period
 3. Assertions about the presentation and disclosure

Existence Assertions about


economic
Completeness
actions and
Rights and Obligations events
Valuation and regarding
Allocation Assertions
Presentation and
Disclosure
THREE TYPES OF AUDIT
1. FINANCIAL STATEMENT AUDIT (FS AUDIT)
 Are the financial statements fairly stated in
accordance with applicable standards (GAAP)?
2. OPERATIONAL AUDIT
 Is the organization effective
in achieving its goals and
efficient in accomplishing
To ascertain
its objectives?
the degree of
3. COMPLIANCE AUDIT
correspondence
 Does it adhere to its policies
and procedures, rules and
regulations of the authorities or governing bodies?
Upon completion of the
audit, the auditor submits an
AUDIT REPORT to the audit
committee of the board of
directors.

FOUR TYPES OF OPINIONS that an


auditor includes in the audit report:
1.) UNQUALIFIED OPINION
“UNMODIFIED/ CLEAN OPINION”
2.) QUALIFIED OPINION
3.) ADVERSE OPINION
4.) DISCLAIMER The audit report will then be
COMMUNICATED TO THE
INTERESTED USERS
“PUBLIC”
Overview of SOX Sections 302
and 404

The Sarbanes–Oxley Act of 2002 enacted in July


30, 2002 also known as the "Public Company
Accounting Reform and Investor Protection Act" and
"Corporate and Auditing Accountability,
Responsibility, and Transparency Act" and more
commonly called Sarbanes–Oxley, Sarbox or SOX, is
a United States federal law that set new or expanded
requirements for all U.S. public company boards,
management and public accounting firms.
Overview of SOX Sections 302
and 404
Sarbanes–Oxley Section 302: Disclosure
controls
 mandates a set of internal procedures
designed to ensure accurate financial
disclosure.
 certify financial and other information in
the organization’s report
 certify internal controls over financial
reporting
Sarbanes–Oxley Section 404:
Assessment of internal control
1. Describe the flow of transactions, including IT aspects,
in sufficient detail to identify points at which a
misstatement could arise.
2. Using a risk-based approach, assess both the design
and operating effectiveness of selected internal controls
related to material accounts.
3. Assess the potential for fraud in the system and
evaluate the controls designed to prevent or detect
fraud.
4. Evaluate and conclude on the adequacy of controls
over the financial reporting process.
5. Evaluate entity-wide (general) controls that
correspond to COSO internal control framework.
COSO Internal
Control Framework
Relationship Between IT Controls
and Financial Reporting

Information technology drives the financial


reporting process of modern organization. It is
considered by SOX as inextricable elements of
the financial reporting and must be controlled.

2 Broad Groupings of IT Controls:


 Application Controls
 General Controls
Application Controls
- ensure the validity, completeness, and accuracy of financial
transactions.
- designed to be application-specific.

Examples:
Cash disbursement batch balancing technique
Accounts receivable check digit procedure
Payroll system limit check

3 Categories of Application Controls


 Input controls designed to ensure that the information entered
into the computer is authorized, accurate, and complete.
 Processing controls prevent and detect errors while
transaction data are processed.
 Output controls focus on detecting errors after processing is
completed, rather than on preventing errors.
General Controls
- include controls over IT governance, IT infrastructure,
network and operating system security, databases access,
application acquisition and development and program
changes.
- needed to support the environment in which
application control functions.

 6 Categories of General Controls


1. Administration of IT function
2. Separation of duties
3. Systems Development
4. Physical and Online Security
5. Backup and Contingency Planning
6. Hardware Controls
Audit Implications of
Sections 302 and 404
SOX legislation Figure 15-2 Information Technology
dramatically
IT CONTROLS Control Relationship
expands the role of
external auditors by
mandating that they
attest to the quality
of internal controls.

PCAOB Standard
No. 5 specifically
requires auditors to
understand the
transaction flows,
including the
controls to how
transactions are
initiated, authorized,
recorded and
reported.
Computer Fraud
- act of using a computer to take or alter electronic
data, or to gain unlawful use of a computer or system.

Computer fraud includes:


 Altering computer-readable records and files
 Altering the logic of computer software
 Illegal use of computer-readable information
 Illegal copying or intentional destruction of computer
software
 Theft, misuse or misappropriation of computer
hardware
Computer Fraud Categories
 Input frauds - is the simplest and most common way to commit
a fraud. Altering computer input requires little computer
skills.

 Processor frauds - involves computer fraud committed


through unauthorized system use.

 Computer instruction frauds - involves tampering with


the software that processes company data.

 Data frauds - involves altering or damaging a company’s


data files; or copying, using, or searching the data files
without authorization.

 Output frauds - involves stealing or misusing system


output. Output is usually displayed on a screen or
printed on paper.
Figure 15-3
General Model for
Accounting
Information Systems
GENERAL MODEL FOR ACCOUNTING
INFORMATION SYSTEM

1. DATA COLLECTION
- is the first operational stage in the information system.

 The control objective is to ensure that event data


entering the system are:
-valid
-complete
-free from material error
 The most important stage in the system.
 The most common access point for perpetrating
computer fraud.
2. DATA PROCESSING
- once collected, data usually require processing to produce
information.
 Program Fraud
-creating illegal programs that can access data files.
-destroying or corrupting a program’s logic using computer
virus
-altering program logic to cause the application to process
data incorrectly.
 Operational Fraud
-is the misuse or theft of the firm’s computer resources.

3. DATA PROCESSING
 Database Management Fraud
includes: altering, deleting, corrupting, destroying and
stealing an organization’s database.
 Destructive routine called “logic bomb”
4. INFORMATION GENERATION
- is the process of compiling, arranging, formatting
and presenting information.

 The common computer fraud:


-steal
-misdirect
-misuse computer output
 Another form of fraud called “eavesdropping”
-involves listening to output transmissions over
telecommunication lines.
IT GOVERNANCE CONTROL
IT GOVERNANCE
-is broad concept relating to the decision rights and
accountability for encouraging desirable behavior in the
use of IT.

Five Main Focus Areas:


1. Strategic Alignment
2. Value Delivery
3. Risk Management
4. Resource Management
5. Performance Management
THREE GOVERNANCE ISSUES
 IT FUNCTION
 COMPUTER FUNCTION
 DISASTER RECOVERY PLANNING

IT FUNCTION
Five IT functions in an organization:
a) Communication
b) Data Management
c) Marketing
d) Process Improvement
e) Enterprise Resource Planning
COMPUTER FUNCTION
 PHYSICAL LOCATION
-directly affects risk of destruction from a disaster.
-away from hazards and traffic.
 CONSTRUCTION
-ideally, single-story, solidly constructed with underground utilities.
-windows should not open and an filtration system should be in place.
 ACCESS
-should be limited with locked doors, cameras, key card entrance and
sign-in logs.
 AIR CONDITIONING SHOULD PROVIDE APPROPRIATE TEMPERATURE AND
HUMIDITY FOR COMPUTERS
 FIRE SUPPRESSION
-alarms, fire extinguishing systems, appropriate construction, fire exits.
 FAULT TOLERANCE
– is the ability of the system to continue operation wen part of the
system fails.
-total failure can occur only if multiple components fail.
-redundant arrays of independent disks (RAID) involves using parallel
disks with redundant data and application so if one disks fails, lost data can
be reconstructed.
-uninterruptible power supplies.

AUDIT PROCEDURES: THE COMPUTER CENTER


 Auditor must verify that physical controls and insurance coverage are
adequate.
 Procedures include:
-test of physical construction
-test of the fire detection system
-test of access control
-test of RAID
-test of the uninterruptible power supply
-test of insurance coverage.
DISASTER RECOVERY PLANNING
 A disaster recovery plan – is a statement of all actions to be taken
before, during and after any type of disaster.
Four Common Features:
 Identify critical applications
 Create a disaster recovery team
 Provide second-site backup
 Specify back-up and off-site storage procedures

AUDIT PROCEDURES:
To verify DRP is a realistic solution, the following tests may be performed:
 Evaluate adequacy of backup site arrangements.
 Review list of critical applications for completeness.
 Verify copies of critical applications and operating systems are stored off-
site.
 Verify critical data files are backed up in accordance with DRP.
 Verify that types and quantities of items specified in the DRP exist in a
secure location.
 Verify disaster recovery team members are current employees and aware
of their assigned responsibilities.
Organizational Structure Control
Organizational Structure
 Specifies the firms formal reporting, relationship,
procedures, controls and authority and decision
making process.

 Operational task should be separated to:


1. Segregate the tasks of transaction authorization from
transaction processing.
Good internal control demands that no single
employee be given too much responsibility. An
employee should not be in position to perpetrate and
conceal fraud or unintentional error.
2. Segregate record keeping from asset custody.
The proper design and use of documents and records
helps ensure thr accurate and complete recording of all
relevant transactions.
3. Divide the transaction-processing tasks among
individuals so that fraud will require collusion between two
or more individuals.
Example: Internal Control OverCash
 AUTHORIZATION Purhases authorized by the manager
 EXECUTION Purhases are made by the purchasing
department
 CUSTODY Payment checks are released to payees by
the treasurer
 RECORDING Purchase transactions are recorded by the
accountant
SEGREGATION OF DUTIES WITHIN THE
CENTRALIZED FIRM Organizational
chart of a centralized IT function
 Separating Systems Development from Computer
Operations. These responsibilities of these groups should
not be commingled. Systems development and
maintenance professionals acquire (by in-house
development and purchase) and maintain systems for
users. Operations staff should run these systems and have
no involvement in their design and implementation.
 Separating the Database Administrator from Other
Functions The DBA is responsible for an number of critical
tasks pertaining to database security, including creating
the database usage and planning for future expansion.
 Separating the DBA from Systems Development
Programmers create applications that access, update
and retrieve data from database. To achieve database
access, therefore, both the programmer and the DBA
need to agree as to the attributes and tables (user view)
to make available to the application ( or user) in question.
 Separating New Systems Development from Maintenance
Some companies organize their systems development
function into two groups: system analysis and
programming. The system analysis group works with user to
produce a detailed design of the new system. The
programming group codes the programs according to
these design specification. Under this approach, the
programmer who codes the original programs also
maintains them during the maintenance phase of the
systems development cycle. This approach promotes two
potential problems.

Inadequate Documentation
Poor quality systems documentation is a chronic IT
problem and a significant challenge for many
organizations seeking SOX compliance. Program Fraud
Involves making unathorized changes to program
modules for the purpose of committing an illegal act.
THE DISTRIBUTED MODEL
Distributed Data Processing (DDP)

Early days
 Centralized processing
 Centralized databases

Today’s IT Environment
 Distributed data
processing (DDP)
 Distributed
databases (DDB)
The Computer Services Function
Distributed Data Centralized Data
Processing Processing
 In Distributed processing  Central processing is when all
the data will be stored the data are brought to the
in different location common place (Server) and
(Distributed) and for is processed by the processor
processing the Program (CPU). So basically all the
needs to access the data from hard disk will be
data from different brought to a server consisting
location and process it. of a RAM (Storage) and CPU
(Processing).
Organizational Structure for a
Distributed System
Advantages and
Disadvantages of DDP
ADVANTAGES: DISADVANTAGES:
 Cost reductions  Inefficient use of
resources
 Improved cost
control  Destruction of audit trails
 Improved user  Inadequate segregation
satisfaction of duties
 Backup of data  Hiring qualified
professionals
 Lack of standards
Distributed Organization with
Corporate IT Function
CREATING A CORPORATE IT
FUNCTION
Implement a Corporate IT Function:
 Central Testing of Commercial
Hardware and Software
 User Services
 Standard-setting body
 Personnel Review
AUDIT OBJECTIVES RELATING TO
ORGANIZATIONAL STRUCTURE

 The auditor’s objective is to verify that


the structure of the IT function is such
that individuals in incompatible areas
are segregated in accordance with the
level of potential risk and in a manner
that promotes a working environment.
This is an environment in which formal,
rather than casual, relationships need
to exist between incompatible tasks.
AUDIT PROCEDURES RELATING TO
ORGANIZATIONAL STRUCTURE
If a company uses a centralized IT function:
 Review relevant documentation to determine if individuals or
groups are performing incompatible functions.
 Review systems documentation and maintenance to verify
maintenance programmers are not designers.
 Observe to determine if segregation policy is being followed.

If DDP used:
 Review relevant documentation to determine if individuals or
groups are performing incompatible duties.
 Verify corporate policies and standards are published and
provided to distributed IT units.
 Verify compensating controls, are in place when needed.
 Review systems documentation to verify applications, procedures
and data based are in accordance with standards.
Computer Center Security
and Controls
 What is Security Control?
Security controls are safeguards or countermeasures to
avoid, detect, counteract, or minimize security risks to
physical property, information, computer systems, or
other assets.
Factors that can affect data processing
 Fires
 Floods
 Wind
 Sabotage
 Earthquakes
Computer Center Controls

 The computer resides in an environment which has


a critical impact on its continual operation and
availability. This environment has several key control
elements including, temperature and humidity
controls, power supply controls, working space
control, fire protection systems, and physical
security systems. Most of these elements are
impacted during machine installation which is
usually a one-time process and consequently does
not receive the attention given other control and
security problems.
 Physical Location – Computer center should be
located away from human-made and natural
hazards such as processing plants, gas and water
mains, airports, high-crime areas, flood plains and
geological faults.
 Construction- Computer center should be located in
a single story building of solid construction with
controlled access.
 Access- the access to the computer center be
limited to the operation and other employees who
work there. It should maintain accurate records of all
events to verify the functions of access control.
 Air Conditioning- Computers functions best in an air-
conditioned environment.
 Fire Suppression- most common threat to a firm’s
computer equipment is fire.
Major Features Control
System
 Automatic and manual alarms should be placed
in strategic locations around the institution.
 Automatic fire extinguishing system that
dispenses the appropriate suppressant.
 Manual fire extinguisher should be placed at
strategic locations.
 Building should be of sound construction to
withstand water damage
 Fire exits should be clearly marked during the fire
Fault Tolerance Controls
 The ability of system to continue operation when part
of the system fails because of hardware failure,
application program error, or operator error.

 Redundant arrays of independent disks(RAID)-


involves using parallel disks that contain redundant
elements of data and applications.

 Uninterruptible power supplies- help prevent data loss


and system corruption. Implementing fault tolerance
control ensures that there is no single point of
potential system failure.
Audit Objectives relating to
Computer Center Security
 1. Controls governing computer center security
are adequate to reasonably protect the
organization from physical damage or losses.

 2. Insurance coverage on equipment is


adequate to compensate the organization for
the destruction or damage to its computer
center.

 3. Operator documentation is adequate to deal


with system failures as well as routine operations.
Audit Procedures for Assessing
Physical Security Controls

 Test of Physical Construction- Architectural plans are


determined that the computer is solidly built of
fireproof material.

 Test of Fire Detection System- The fire detection


system should detect smoke, heat and combustible
fumes.

 Test of access control- There should be an


established routine access to the computer center
that is restricted to authorized employees.
Test of Fault Tolerance
Controls
 RAID- configurations provide a graphical
mapping of their redundant disk storage. This
determine the level of business risk associated
with disk failure.

 Power Supplies Backup- This Computer backup


provide a periodic test of the backup supply to
ensure that it has capacity to run the computer
and air-conditioning.
Disaster Recovery Plan (DRP)
 A disaster recovery plan (DRP) is a comprehensive statement of all
actions to be taken before, during, and after a disaster, along with
documented, tested procedures that will ensure the continuity of
operations. Although the details of each plan are unique to the
needs of the organization, all workable plans possess common
features.

Control Issues:
 Providing second-site backup
 Identifying critical applications
 Performing backup and off-site storage procedures,
 Creating a disaster recovery team
 Testing the DRP
CONTROL ISSUE
 PROVIDING SECOND-SITE BACKUP
A necessary ingredient in a DRP is that it provides for
duplicate data processing facilities following a disaster. The
viable options available include the empty shell, recovery
operations center and internally provided backup.
THE EMPTY SHELL or cold site plan is an arrangement
wherein the company buys, or leases a building that will
s erve as a data center.
THE RECOVERY OPERATIONS CENTER (ROC) or hot site is a
fully equipped back up data center that many
companies share.
INTERNALLY PROVIDED BACKUP - Larger organizations
with multiple data processing centers often prefer the
self- reliance that creating internal excess capacity
provides.
CONTROL ISSUE
 IDENTIFYING CRITICAL APPLICATIONS
All applications and data must be restored to pre-disaster
business activity levels. The task of identifying and
prioritizing critical applications requires active
participations of management, user department and
internal auditors

 PERFORMING BACKUP AND OFF-SITE STORAGE


PROCEDURES
Data processing personnel should routinely perform backup
and storage procedures to safeguard these critical resources.
Back up data Files
Backup Documentation
Backup Supplies and Source documents
CONTROL ISSUE
 CREATING A DISASTER RECOVERY TEAM
CONTROL ISSUE
 TESTING THE DRP
DRP test are important and should be performed
periodically. Test provide measures of the preparedness of
personnel and identify omissions or bottlenecks in the plan

AUDIT OBJECTIVES: ASSESSING DISASTER


RECOVERY PLAN
Audit Procedures for Assessing DRP:
 1. Second Site Backup
 2. Critical Application
 3. Backup Critical Application
 4. Backup Supplies, Source Documents and
Documentation
 5. The Disaster Recovery Team
Outsourcing the IT Function

 The practice of having certain job function


done outside a company instead of having an
in-house department or employee handle
them.
 Functions can be outsourced to either a
company or an individual.
 It's the practice of sending certain
job functions outside a company instead of
handling them in house.
Benefits of IT Outsourcing
 Control IT Costs
 Reduce Labor Costs
 Trained, Experienced, Qualified, Certified
 Qualified doesn’t Equal Experienced
 Increase Efficiency and Competitiveness
 Quickly Implement New Technology
 Stay Focused on Your Core Business
 Reduce risk
 Level the Playing Field
 Compliance and Security
Core Competency
 A core competency is a concept in management theory
introduced by C.K. Prahalad and Gary Hamel. It can be
defined as "a harmonized combination of multiple
resources and skills that distinguish a firm in the
marketplace" and therefore are the foundation of
companies' competitiveness.

 Core Competencies fulfill three criteria:


1. Provides potential access to a wide variety of markets.
2. Should make a significant contribution to the perceived
customer benefits of the end product.
3. Difficult to imitate by competitors.

Transaction Cost Economics


 It is a central theory in the field of Strategy. It addresses
questions about why firms exist in the first place (i.e., to
minimize transaction costs), how firms define their
boundaries, and how they ought to govern operations
Risk Inherent to IT Outsourcing
Risk 1. LOSS OF CONTROL
 Hiring an outsourcing firm to build software for you typically means
ceding control of, and thus insight into, the development process.

Risk 2. LOW-QUALITY PRODUCT


 You need to ensure that the end product you get from your remote
team meets your standards for quality and usability.

Risk 3. HIDDEN COSTS


 When it comes to costs, bear in mind that any vendor will expect you
to pay for work not covered by the scope of your initial contract.
That means you may end up spending more than the contract
suggests, and in some cases a lot more.

Risk 4. SECURITY BREACH


 If any proprietary company information like algorithms, databases or
other trade secrets is going to be transmitted to the vendor, there’s
always a risk, however small, that your data will be compromised.
Loss of Strategic Advantage
 Competitive Advantage are not permanent. You need to
continually adjust, adapt and evolve your competitive advantages
and positioning to respond to changes in customer preference,
challenges from competitors, and changes within the company
itself.

3 Biggest Reasons Why Companies Lose Their


Competitive Advantage
1.) Changes in Customer Preference
 Too many companies don’t do a good enough job of connecting
with or listening to their customers. Your customers might be drifting
away from you, and you might not realize it until it’s too late.
 How to keep your competitive advantage: Focus on your
customers. Conduct DOUBLE-BLIND MARKET RESEARCH to find out
what truly matters to your customers about the product or service
you provide – make sure you UNDERSTAND WHAT YOUR
CUSTOMERS VALUE.
2.) Challenges From Competitors
 No competitive advantage is safe for long; often, just when a
company figures out its competitive advantage, a competitor
swoops in to change the game. Technological improvements, new
marketing strategies, new ways of identifying underserved niches
within the existing market – all of these are ways that competitors are
constantly dueling to undermine each other’s competitive
advantages.
 How to keep your competitive advantage: Focus on what you do
best – better than any of your new (and current) competitors. Every
company, no matter what size, industry or financial position, needs to
take the time to uncover what truly makes them unique from their
competitors – because even the biggest companies can crumble
under the competition
3.) Internal Changes
 Sometimes companies themselves are the ones who cause their
competitive advantages to go away.
 How to keep your competitive advantage: No matter what internal
changes happen to a company, continuing to conduct MARKET
RESEARCH is one of the best ways to weather the changes. Don’t
make a shift unless you know the shift is something your consumers
will value.
Audit Implications of
IT Outsourcing
 Points to remember
1. Management may outsource organization’s IT function, but
cannot outsource its management responsibilities (SOX)
2. The use of outsourcing doesn’t reduce management’s
responsibility- maintain effective control to financing
operations.
3. If an audit client firm outsources its IT function, the vendor
should be put into an evaluation- internal evaluation or
through audit report.
Statement on Standards for
Attestation Engagement No. 16
An internationally recognized third-party attestation report
designed for service organizations such as IT outsourcing vendors.

 Promulgated by the AUDITING STANDARDS BOARD (ASB) of the


AICPA
 Replacement of Statement on Auditing Standards No. 70 on
June 15, 2011
 Purpose is to update SAS No. 17 which has been around since
1992
 Objective is to keep pace with move toward globally accepted
international accounting standard

SSAE 16 is the definitive standard which client organizations’ can


determine whether processes and controls at the third-party
vendor are adequate to prevent or detect material errors that
could make an impact in the client’s financial statements.
HOW DOES SSAE 16 REPORTS?
Client Client
SSAE 16 report Auditor A
1

Outsourcing SSAE 16 report Client


Vendor
Client SSAE 16 report
Auditor B
2

Client Client
SSAE 16 report
3 Auditor C

Client SSAE 16 report Client


4 Auditor D

Vendor Auditor
Process:
1. The outsourcing vendor serves client 1, 2,3 and 4. The system
process and internal controls resides at the vendor location.
2. They are then audited by the vendor’s auditor who then
expresses and opinion and issues SSAE 16 report.
3. Each of the client firms is audited by different auditor A, B, C and
D which rely on the SSAE 16 report by the vendor.
4. Service provider auditor issues two types of SSAE 16 report:
 Type 1: Attests to the vendor management’s description of their
system and the sustainability of the design of controls.
Less rigorous than Type 2 and comments only on the
sustainability of the control’s design.
 Type 2: Attests to the management’s description of their system,
the sustainability of the
design of controls, and the operating effectiveness of controls.
SSAE 16 REPORT CONTENTS
 Provides description of the service provider’s system including
details of how transactions are processed and results are
communicated to their client organization.

 Describes relevant internal control issues consistent with the


COSO control model.
a. Control Environment
b. Risk Assessment
c. Information and Communication Systems
d. Control Activities
e. Control Monitoring

 Specifies control objectives and the controls designed to


achieve those objectives.
Methods of Subservice Organization Reporting

1. CARVE-OUT METHOD, service provider management


would exclude the subservice organization’s relevant
control objectives and related controls from the
description system. Description would include the nature
of the services performed by the subservice organization.
2. INCLUSIVE METHOD, service provider’s description of its
system will include the service performed by the
subservice organization. In addition, the report will include
the relevant control objectives and related controls of the
subservice organization.

END OF THE
CHAPTER 

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy