REPORT 2015/112 INTERNAL AUDIT DIVISION



Similar documents
How To Ensure That Non-Peoplesoft Applications Can Withstand Adverse Events

REPORT 2016/057 INTERNAL AUDIT DIVISION

REPORT 2014/001 INTERNAL AUDIT DIVISION. Audit of information and communications technology help desk operations at United Nations Headquarters

INTERNAL AUDIT DIVISION AUDIT REPORT 2013/073

REPORT 2016/047 INTERNAL AUDIT DIVISION. Audit of the operations in Egypt for the Office of the United Nations High Commissioner for Refugees

OVERALL RATING: PARTIALLY SATISFACTORY

AUDIT REPORT INTERNAL AUDIT DIVISION. Asset management at the UNHCR operations in Georgia

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of business continuity and disaster recovery planning at UNON

AUDIT REPORT. Audit of the UNOG contracts for furniture supplies FINAL OVERALL RATING: PARTIALLY SATISFACTORY

REPORT 2016/061 INTERNAL AUDIT DIVISION. Audit of inventory management in the United Nations Interim Force in Lebanon

REPORT 2016/045 INTERNAL AUDIT DIVISION. Audit of contracts management in the African Union-United Nations Hybrid Operation in Darfur

INTERNAL AUDIT DIVISION AUDIT REPORT 2013/064. Audit of air transportation management in the United Nations Mission in South Sudan

REPORT 2016/035 INTERNAL AUDIT DIVISION

AUDIT REPORT 2013/024

REPORT 2014/078 INTERNAL AUDIT DIVISION

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of non-expendable property at Headquarters

INTERNAL AUDIT DIVISION AUDIT REPORT 2013/020. Audit of the Umoja software system (SAP) implementation

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of the Riskmetrics system in the Investment Management Division of UNJSPF

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of United Nations Archives and Records Management

REPORT 2016/066 INTERNAL AUDIT DIVISION. Audit of management of technical cooperation projects in the Economic Commission for Africa

AUDIT REPORT. Services provided by the United Nations International Computing Centre to the UN Secretariat - Department of Field Support

AUDIT REPORT Audit of contracts management in UNMIS

INTERNAL AUDIT REPORT

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

FINAL AUDIT REPORT. Audit of the information and communications technology (ICT) governance and security management in peacekeeping missions

AUDIT REPORT INTERNAL AUDIT DIVISION. UNHCR's relationship with implementing partners

AUDIT REPORT INTERNAL AUDIT DIVISION. Invoice Processing in UNAMID. Internal controls over invoice processing were inadequate and ineffective

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

Domain 1 The Process of Auditing Information Systems

Audit of IT Asset Management Report

Microsoft s Compliance Framework for Online Services

Asset Management Systems Scheme (AMS Scheme)

MANAGEMENT AUDIT REPORT DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION

Software Licenses Managing the Asset and Related Risks

Draft Information Technology Policy

EXECUTIVE SUMMARY Audit of vendor database management in UNOG

Audit of Business Continuity Planning

EXECUTIVE SUMMARY Audit of information and communications technology governance and security management in MINUSTAH

Service Support Kasse Initiatives, LLC. ITIL Configuration Management - 1. version 2.0

IT Assurance - Business Continuity and Disaster Recovery

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management

AUDIT REPORT. The Department of Energy's Management of Cloud Computing Activities

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of UNCTAD Technical Cooperation Project Strengthening the Debt Management Capacity of Developing Countries

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

Audit of Case Activity Tracking System Security Report No. OIG-AMR

2014 Audit of the Board s Information Security Program

AUDIT REPORT INTERNAL AUDIT DIVISION. Vendor payment process in MONUSCO

Audit of Financial Reporting Controls

Sound Transit Internal Audit Report - No

Audit of the Test of Design of Entity-Level Controls

Auditing in an Automated Environment: Appendix C: Computer Operations

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

ISO 9001:2015 Internal Audit Checklist

The Weill Cornell Medical College and Graduate School of Medical Sciences. Responsible Department: Information Technologies and Services (ITS)

ISO27001 Controls and Objectives

Client Security Risk Assessment Questionnaire

Business Continuity & Crisis Management

FINAL AUDIT REPORT WITH RECOMENDATIONS Information Technology No

GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004

AUDIT OF SBA S COMPLIANCE WITH JOINT FINANCIAL MANAGEMENT IMPROVEMENT PROGRAM PROPERTY MANAGEMENT SYSTEM REQUIREMENTS AUDIT REPORT NUMBER 3-34

ULSTER COUNTY COMPTROLLER S OFFICE Elliott Auerbach, Comptroller

Office of the Chief Information Officer

Services Providers. Ivan Soto

University of Massachusetts Medical School's Data Center Relocation For the period July 1, 2008 through August 31, 2010

Certified Information Systems Auditor (CISA)

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

Decision on adequate information system management. (Official Gazette 37/2010)

Intel Enhanced Data Security Assessment Form

Department of Public Utilities Customer Information System (BANNER)

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

POSTAL REGULATORY COMMISSION

FINAL May Guideline on Security Systems for Safeguarding Customer Information

AUDIT REPORT INTERNAL AUDIT DIVISION. Audit of OCHA s management of the Haiti Emergency Relief and Response Fund

D. MCLAUGHLIN & SONS LTD QUALITY MANUAL

Audit of NRC s Network Security Operations Center

SOFTWARE MANAGEMENT EXECUTIVE SUMMARY

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Disaster Recovery and Business Continuity Plan

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

Guideline for Roles & Responsibilities in Information Asset Management

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

DRAFT Disaster Recovery Policy Template

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

PRIVY COUNCIL OFFICE. Audit of Information Technology (IT) Security. Final Report

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Transcription:

INTERNAL AUDIT DIVISION REPORT 2015/112 Audit of information and communication technology hosting services provided by third parties to the Office of the United Nations High Commissioner for Refugees Overall results relating to the effective management of information and communication technology hosting services provided by third parties were initially assessed as partially. Implementation of three important recommendations remains in progress FINAL OVERALL RATING: PARTIALLY SATISFACTORY 30 September 2015 Assignment No. AR2015/166/01

CONTENTS Page I. BACKGROUND 1 II. OBJECTIVE AND SCOPE 2 III. AUDIT RESULTS 2-6 A. Strategic planning 3-4 B. Performance monitoring 4 C. Information and communication technology support systems 5-6 IV. ACKNOWLEDGEMENT 6 ANNEX I APPENDIX I Status of audit recommendations Management response

AUDIT REPORT Audit of information and communication technology hosting services provided by third parties to the Office of the United Nations High Commissioner for Refugees I. BACKGROUND 1. The Office of Internal Oversight Services (OIOS) conducted an audit of information and communication technology (ICT) hosting services provided by third parties to the Office of the United Nations High Commissioner for Refugees (UNHCR). 2. In accordance with its mandate, OIOS provides assurance and advice on the adequacy and effectiveness of the United Nations internal control system, the primary objectives of which are to ensure (a) efficient and effective operations; (b) accurate financial and operational reporting; (c) safeguarding of assets; and (d) compliance with mandates, regulations and rules. 3. The concept of hosting services is based on an outsourcing arrangement whereby a service provider will host information systems or resources on behalf of a client. These systems and resources are then accessed by the client over a dedicated network or the Internet. It is a business model used for delivering ICT services. 4. Within the UNHCR Division of Information Systems and Telecommunications (DIST), ICT Operations, a service operating out of Amman, Jordan, has the overall responsibility for designing, delivering and maintaining the common ICT infrastructure which is the foundation of all services provided by DIST. The ICT Platform Section, under ICT Operations, manages hosting services, and its terms of reference include: (a) managing the hosting arrangements with outsourced service providers and ensuring that these services are provided to the agreed service levels; and (b) providing increased efficiencies and cost reductions, while remaining fit for purpose. 5. The corporate ICT systems of UNHCR are currently hosted in a United Nations entity and a private sector service provider. The United Nations entity owns the hardware and hosts the missioncritical systems such as: Managing for Systems, Resources and People (MSRP), the UNHCR enterprise resource planning system; FOCUS, the UNHCR results-based management system; and the UNHCR public website (unhcr.org). The private sector service provider hosts Microsoft Exchange, another mission-critical system for UNHCR messaging services. This service provider also hosts: the development and production environments of the progres system, the UNHCR refugee registration system; esafe, the UNHCR document management system; and part of the UNHCR wide area network/internet connectivity and Hyper-V, a virtual server farm. UNHCR owns and provides the hardware for these services while the private sector entity provides the facilities such as the premises, air conditioning, power and connectivity. 6. The total payment that UNHCR made to the private sector hosting service provider in both 2013 and 2014 was $450,000. The payment to the United Nations entity for 2013 and 2014 was $3.4 million. The written down value of ICT assets located at the premises of the private sector entity amounted to $400,000 as at 31 December 2014, while their acquisition cost was $1.3 million. 7. Comments provided by UNHCR are incorporated in italics. 1

II. OBJECTIVE AND SCOPE 8. The audit was conducted to assess the adequacy and effectiveness of UNHCR governance, risk management and control processes in providing reasonable assurance regarding the effective management of information and communication technology hosting services provided by third parties. 9. This audit was included in the OIOS 2015 risk-based internal audit work plan for UNHCR because of the risks associated with relying on third parties hosting mission-critical ICT systems for UNHCR. 10. The key controls tested for the audit were: (a) strategic planning; (b) performance monitoring; and (c) ICT support systems. For the purpose of this audit, OIOS defined these key controls as follows: (a) Strategic planning - controls that provide reasonable assurance that DIST has developed a strategic plan to implement its organizational objectives for ICT services, including those outsourced to third party hosting service providers. (b) Performance monitoring - controls that provide reasonable assurance that metrics are established to monitor third party hosting service providers and to ensure that provisions in the relevant service level agreements are complied with. (c) ICT support systems - controls that provide reasonable assurance that the ICT systems supporting UNHCR operations exist and are physically secure. 11. The key controls were assessed for the control objectives shown in Table 1. 12. OIOS conducted the audit from February to June 2015. The audit covered the period from 1 January 2013 to 31 December 2014. 13. OIOS conducted an activity-level risk assessment to identify and assess specific risk exposures, and to confirm the relevance of the selected key controls in mitigating associated risks. Through interviews and analytical reviews, OIOS assessed the existence and adequacy of internal controls and conducted necessary tests to determine their effectiveness. III. AUDIT RESULTS 14. The UNHCR governance, risk management and control processes examined were initially assessed as partially 1 in providing reasonable assurance regarding the effective management of information and communication technology hosting services provided by third parties. OIOS made three recommendations to address the issues identified. 15. There was a need for UNHCR to: (a) update the ICT strategy to reflect the use of hosting and cloud services; (b) implement measures to facilitate physical verification of assets located at the site of the private sector hosting service provider; and (c) store off-site the information held in the premises of the private sector hosting service provider. 1 A rating of partially means that important (but not critical or pervasive) deficiencies exist in governance, risk management or control processes, such that reasonable assurance may be at risk regarding the achievement of control and/or business objectives under review. 2

16. The initial overall rating was based on the assessment of key controls presented in Table 1. The final overall rating is partially as implementation of three important recommendations remains in progress. Business objective Effective management of information and communication technology hosting services provided by third parties Key controls (a) Strategic planning (b) Performance monitoring (c) ICT support systems Table 1: Assessment of key controls Efficient and effective operations Control objectives Accurate financial and operational reporting Safeguarding of assets Compliance with mandates, regulations and rules Satisfactory Satisfactory Satisfactory Satisfactory FINAL OVERALL RATING: PARTIALLY SATISFACTORY A. Strategic planning The information and communication technology strategy should be updated to reflect the use of hosting and cloud services 17. The UNHCR Global Management and Accountability Framework requires DIST to design, update and implement an ICT strategy that responds to the evolving demands of UNHCR and to ensure that ICT investments are aligned and prioritized with operational needs. In line with this responsibility, the UNHCR ICT strategy, which was last updated in October 2012, specifies that DIST consider alternative options for a coherent approach to infrastructure hosting to reduce costs and risk exposures. 18. A review of the 2012 ICT strategy showed that although it referred to hosting services, the document lacked relevant detail, such as the planned goals and the resources required, and did not refer to modalities for implementing the strategy. In contrast, the previous ICT strategy for 2008-2011 had specifically referred to determining options and costs for using external partners to host file servers, reviewing the performance of the United Nations entity for hosting the MSRP, and reviewing possible hosting solutions for headquarters servers and future provisioning strategy for servers. Further, although the ICT Platform Section was expected to provide a long-term strategy for the use of cloud services across UNHCR, this had not been done. 19. The lack of clarity concerning the UNHCR approach to use of hosting and cloud services occurred because the ICT strategy had not been updated for more than three years to reflect important and relevant developments. (1) The UNHCR Division of Information Systems and Telecommunications should update the UNHCR information and communication technology strategy to adequately reflect the use of hosting and cloud services. UNHCR accepted recommendation 1 and stated that the 2012 ICT strategy would be updated to 3

address the intended direction of hosting/cloud services at a strategic level. The specific implementation activities, along with the details concerning budget and resources would continue to be addressed in the DIST Annual Programme Review document. Recommendation 1 remains open pending receipt of the updated ICT strategy that adequately reflects the use of hosting and cloud services. B. Performance monitoring Adequate arrangements were in place for monitoring service delivery levels for hosting services in accordance with the agreements with the service providers 20. The Operational Guidelines on ICT Security specify that DIST, in close coordination with responsible UNHCR managers, should define and monitor service and delivery levels as well as security controls provided by third party providers supporting UNHCR information processing and telecommunication services to ensure that the services are implemented, operated and maintained in accordance with contractual obligations. 21. A review of the arrangements for performance monitoring of service delivery by the United Nations and the private sector ICT hosting service providers showed that the ICT Platform Section adequately monitored the service delivery by both providers, based on periodic reports received and regular meetings held with both entities. For example, the United Nations entity collected and published, on a monthly basis, service availability metrics which allowed UNHCR to measure the actual performance against service level targets and to compare the services with those offered by other service providers in the industry. UNHCR had also established adequate arrangements to monitor the agreement with the private sector entity under which facilities such as premises, air-conditioning, power and connectivity were provided. Temperature fluctuations and power outages were monitored by the technical staff of the private sector entity, and any events in this regard were published on their website and were thus accessible for review by DIST staff. No significant incidents of power outages or airconditioning problems had been reported. OIOS therefore concluded that adequate arrangements were in place for monitoring service delivery levels for ICT hosting services. Audit reports provided the required assurance on internal controls at the United Nations entity 22. The International Standard on Assurance Engagements 3402 on Assurance Reports on Controls at a Service Organization requires service providers to provide an assurance report over a specified period to its user entities and their auditors on the controls established that are likely to impact or be part of the system of internal control at the user entities. 23. In line with industry best practice, the United Nations entity pursued a number of relevant control certifications and independent audits based on international standards to ensure that a complete and effective set of operational controls were in place. OIOS review of the audit reports received by UNHCR for 2013 and 2014 concluded that the United Nations entity had established controls and the reports provided positive opinions on the adequacy of the ICT hosting arrangements. The agreement between UNHCR and the private sector entity did not contain such an audit clause, and no separate assurance reports were considered necessary since this was a contract for the provision of premises, airconditioning, power and connectivity for hosting UNHCR-owned and controlled hardware. In addition, the private sector entity provided the required services in accordance with the agreement and authorized UNHCR representatives had access to the ICT equipment located in its premises. 4

C. Information and communication technology support systems Measures needed to be implemented to facilitate physical verification of assets located at the site of the private sector hosting service provider 24. The UNHCR Manual specifies that once an item of property, plant and equipment (PPE) has been procured and delivered to a UNHCR office, it needs to be registered, tracked and managed until disposed of. Furthermore, each asset should be physically verified at least once a year to reconcile all assets recorded in the MSRP Asset Management Module with the physical holding and to provide the latest information on the location of the PPE and their working condition. 25. DIST stated that its assets in the premises of the private sector hosting service provider were physically verified in November 2014 and submitted a spreadsheet to corroborate the exercise performed. OIOS visited the private sector entity to physically verify the ICT assets hosted in its premises and observed that although the assets had barcode labels, only a few of those barcodes were visible externally. OIOS was able to physically verify only 12 of the more than 100 servers and devices. This was because the barcode labels for most of the live assets (such as servers) were affixed inside the enclosures of the equipment, and therefore could only be reviewed when the server or another device was shut down and removed from its docking position. Such an action was not possible at the time of the verification exercise as it would have disrupted the ICT services. 26. DIST had not adequately considered the constraints in its physical verification of assets and should have established a workaround to address the issue, such as using technology (e.g., pinging the servers to confirm their existence or running scripts) or displaying asset identifications using hanging tags. (2) The UNHCR Division of Information Systems and Telecommunications should use hanging tags as a solution to display the asset identification number from Managing for Systems, Resources and People for its assets in the custody of the private sector hosting service provider or use technology such as pinging the servers or running scripts to confirm their existence. UNHCR accepted recommendation 2 and stated that DIST would work with the managed service providers to ensure that for the new equipment installed, physical tags are identifiable at data centre locations. For the existing equipment, this would only be possible at the next major scheduled maintenance. Recommendation 2 remains open pending receipt of evidence that hanging tags have been used to display the asset identification number for assets in the custody of the private sector hosting services provider or, alternatively, that technology is used to confirm their existence. Off-site storage measures were required for information stored in the premises of the private sector hosting service provider 27. UNHCR ICT Security Operational Guidelines state that DIST, in close coordination with responsible UNHCR managers, should ensure that adequate and reliable backup and recovery procedures are in place, tested, stored and monitored for all ICT systems. Best practices for ICT, such as CoBiT and ISO/IEC 27001, recommend that, to protect against loss of data, UNHCR should have a sound backup policy and establish procedures to take regular backup copies of information and software. Such backup copies should be stored off-site and tested from time to time. 5

28. OIOS assessed through interviews with DIST officials that controls relating to off-site storage of information contained in the devices hosted with the private sector hosting service provider were not adequate. For example, backup copies of data were not stored off-site. 29. This situation occurred because appropriate procedures for off-site storage had not been established since DIST perceived the risk as low. DIST explained that the risk of losing data due to a hardware failure practically did not exist, as there was sufficient redundancy in that respect. DIST also explained that other solutions such as file system snapshotting and data protection managers put in place guaranteed against loss of data. However, in the opinion of OIOS, the established backup measures were applicable for on-site storage only and therefore did not entirely eliminate the risk of data loss. (3) The UNHCR Division of Information Systems and Telecommunications should establish and implement off-site storage procedures for information stored in the premises of the private sector hosting service provider that are consistent with operational requirements. UNHCR accepted recommendation 3 and stated that DIST had implemented off-site tape storage for esafe and was in the process of doing the same for progres v4 and the Biometric Identify Management System. Recommendation 3 remains open pending confirmation of the implementation of off-site storage procedures for all information stored in the premises of the private sector hosting service provider. IV. ACKNOWLEDGEMENT 30. OIOS wishes to express its appreciation to the management and staff of UNHCR for the assistance and cooperation extended to the auditors during this assignment. (Signed) David Kanja Assistant Secretary-General, Acting Head Office of Internal Oversight Services 6

ANNEX I STATUS OF AUDIT RECOMMENDATIONS Audit of information and communication technology hosting services provided by third parties to the Office of the United Nations High Commissioner for Refugees Recom. no. Recommendation 1 The UNHCR Division of Information Systems and Telecommunications should update the UNHCR information and communication technology strategy to adequately reflect the use of hosting and cloud services. 2 The UNHCR Division of Information Systems and Telecommunications should use hanging tags as a solution to display the asset identification number from Managing for Systems, Resources and People for its assets in the custody of the private sector hosting service provider or use technology such as pinging the servers or running scripts to confirm their existence. 3 The UNHCR Division of Information Systems and Telecommunications should establish and implement off-site storage procedures for information stored in the premises of the private sector hosting service provider that are consistent with operational requirements. Critical 1 / C/ Important 2 O 3 Actions needed to close recommendation Important O Submission to OIOS of the updated ICT strategy that adequately reflects the use of hosting and cloud services. Important O Submission to OIOS of documentary evidence that hanging tags have been used to display the asset identification number for assets in the custody of the private sector hosting service provider or, alternatively, that technology is used to confirm their existence. Important O Submission to OIOS of documentation confirming implementation of off-site storage procedures for all information stored in the premises of the private sector hosting service provider. Implementation date 4 31 December 2015 31 December 2015 31 December 2015 1 Critical recommendations address critical and/or pervasive deficiencies in governance, risk management or control processes, such that reasonable assurance cannot be provided with regard to the achievement of control and/or business objectives under review. 2 Important recommendations address important (but not critical or pervasive) deficiencies in governance, risk management or control processes, such that reasonable assurance may be at risk regarding the achievement of control and/or business objectives under review. 3 C = closed, O = open 4 Date provided by UNHCR in response to recommendations. 1

APPENDIX I Management Response

APPENDIX I Management Response Audit of information and communication technology hosting services provided by third parties to the Office of the United Nations High Commissioner for Refugees Rec. no. Recommendation 1 The UNHCR Division of Information Systems and Telecommunications should update the UNHCR information and communication technology strategy to adequately reflect the use of hosting and cloud services. 2 The UNHCR Division of Information Systems and Telecommunications should use hanging tags as a solution to display the asset ids from Managing for Systems, Resources and People for its assets in the custody of the private sector hosting services provider or use technology such as pinging the servers or running scripts to confirm their existence. 3 The UNHCR Division of Information Systems and Telecommunications should establish and implement off-site storage procedures for information stored in the premises of the private sector hosting services provider that are consistent with operational requirements. Critical 1 / Important 2 Accepted? (Yes/No) Title of responsible individual Important Yes Chief Information Officer (CIO) Important Yes Senior ICT Officer (Cross Functional) Important Yes Deputy Director, ICT Operations Implementation date 31 December 2015 31 December 2015 31 December 2015 Client comments The 2012 ICT Strategy which is currently being updated, will address the intended direction of hosting/cloud services at a strategic level. The specific implementation activities, along with the details concerning budget, resources etc. will continue to be addressed in the DIST Annual Program Review document. DIST will work with the Managed Service Providers to ensure that for the new equipment installed, physical tags are identifiable at data centre locations in the future. For the existing equipment this may only be possible at the next major scheduled maintenance. DIST has implemented off-site tape storage for esafe and is in the process of doing the same for progres v4 and Biometric Identify Management System. 1 Critical recommendations address critical and/or pervasive deficiencies in governance, risk management or control processes, such that reasonable assurance cannot be provided with regard to the achievement of control and/or business objectives under review. 2 Important recommendations address important (but not critical or pervasive) deficiencies in governance, risk management or control processes, such that reasonable assurance may be at risk regarding the achievement of control and/or business objectives under review.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information