LogoRegulatory Alerts
2022-12-21

Guidelines for the Implementation of Information System Audits by Audit Firms for Supervised Entities

The Croatian Financial Services Supervisory Agency (Hanfa) issued these Guidelines to standardize how audit firms conduct and report on information system audits for supervised entities. The document mandates a risk-based, proportionality-driven audit methodology that requires auditors to assess organizational and technical controls, document material weaknesses, and provide actionable remediation recommendations with clear deadlines. It further establishes minimum reporting standards, including detailed IS descriptions, third-party engagement disclosures, and tracked implementation status of prior audit recommendations.

Croatian Financial Services Supervisory Agency logo

Croatia

Croatian Financial Services Supervisory Agency

Click to view thumbnail

Based on Article 15, point 7 of the Act on the Croatian Financial Services Supervisory Agency (Official Gazette nos. 145/05 and 12/12), the Management Board of the Croatian Financial Services Supervisory Agency, at its meeting held on 21 December 2022, adopted GUIDELINES FOR THE IMPLEMENTATION OF INFORMATION SYSTEM AUDITS BY AUDIT FIRMS

I. INTRODUCTORY PROVISIONS

  1. Objectives, Purpose and Scope 1.1. Objectives These Guidelines for the Implementation of Information System Audits by Audit Firms (hereinafter: Guidelines) issued by the Croatian Financial Services Supervisory Agency (hereinafter: Hanfa) provide guidance for conducting information system (hereinafter: IS) audits of supervised entities by audit firms (hereinafter: auditors). Article 2 of the Act on the Croatian Financial Services Supervisory Agency (Official Gazette nos. 140/05 and 12/12) defines supervised entities (hereinafter: entities) as all legal or natural persons engaged in providing financial services, offering advice on the financial market, selling, intermediating, or managing assets of financial service users. Hanfa is responsible for the supervision of the financial market, entities, and the financial services they provide. Hanfa prescribes, through relevant statutory and subordinate acts, the implementation of IS audits for certain groups of entities by auditors, as well as the preparation of quality reports on IS for Hanfa’s purposes (hereinafter: report to Hanfa). To ultimately contribute to the quality of the audit process and the report to Hanfa, Hanfa aims through these Guidelines to achieve the following objectives:
  1. clarify the principles, criteria and procedures that Hanfa expects from auditors when conducting IS audits of entities; and
  2. clarify Hanfa’s minimum expectations regarding the content of reports to Hanfa prepared based on the completed audit process.

1.2. Purpose These Guidelines are intended for:

  1. auditors who, in accordance with relevant statutory and subordinate acts as well as European Union acts, conduct IS audits as part of the entity’s financial statement audit to obtain assurance regarding the reliability and completeness of audited data, based on which they prepare a report to Hanfa;
  2. auditors who, in accordance with relevant statutory and subordinate acts as well as European Union acts, conduct standalone IS audits of entities, based on which they prepare a report to Hanfa; and
  3. supervised entities over whose IS one of the audit procedures described in points 1 and 2 is conducted. The provisions of these Guidelines are not applicable in cases where the implementation of IS audits of entities in any form, or the preparation of reports to Hanfa, is not prescribed by relevant statutory and subordinate acts nor by European Union acts. Hanfa may, through appropriate acts, additionally prescribe specificities of the audit process and reports for certain groups of entities, which must be considered alongside these Guidelines.

1.3. Scope These Guidelines cover the following:

  1. Principles, criteria and procedures for conducting IS audits of entities: • basic principles, • risk-based approach, • persons conducting the IS audit, • scope of the IS audit; and • implementation of the IS audit.
  2. Minimum expectations regarding the content of quality reports on IS for Hanfa’s purposes: • general assessment of the state and adequacy of IS management, • basic data on the implementation of the audit procedure, • description of the IS, • description of measures for managing cyber and information security of the IS; • identified weaknesses, deficiencies and risks of the information system and recommendations for their remediation; and • review of the status of implementation of recommendations for addressing identified weaknesses, deficiencies and risks issued during audits conducted in the previous period.

II. PRINCIPLES, CRITERIA AND PROCEDURES FOR THE IMPLEMENTATION OF INFORMATION SYSTEM AUDITS OF SUPERVISED ENTITIES

  1. Basic Principles When planning and conducting the audit process and preparing reports, auditors shall be guided by internationally accepted auditing principles, with particular emphasis on the principle of proportionality and the principle of materiality.

  2. Risk-based Approach Auditors shall use methodologies and procedures for IS audits based on risk assessment. The application of risk-based methodologies and procedures requires an understanding of the specific characteristics of the entity itself and its business environment. The auditor shall use acquired knowledge about the specific characteristics of the entity and its business environment during the IS audit planning phase to efficiently and effectively direct own resources towards risk areas. During the actual implementation of the IS audit, the auditor shall identify specific IS risks and assess their level with regard to their impact on business processes and the achievement of the entity’s business objectives, guided by the principles of proportionality and materiality. When determining the level of identified risks, the auditor shall consider the design and operational effectiveness of controls implemented to manage these risks.

  3. Persons Conducting the Information System Audit Persons involved in any phase of the audit process must meet basic auditing and ethical principles, such as: • competence, • personal integrity, • independence, • confidentiality; and • objectivity. The competencies of these persons shall include appropriate skills, knowledge and experience in the field of IS audit implementation.

  4. Scope of the Information System Audit The scope of the IS audit shall be planned in advance based on an initial IS risk assessment. Accordingly, the auditor shall consider relevant IS management processes, organizational and technical IS protection solutions, compliance of the IS with applicable regulations, as well as material, intangible and human resources used in this process. When determining the scope, the auditor shall pay particular attention to those parts of the IS that play a significant role in supporting the entity’s core business processes.

  5. Implementation of the Information System Audit The auditor shall follow internationally accepted methodologies for IS audit implementation, auditing standards and ethical principles. The auditor shall verify the appropriateness of established IS management processes and their documentation. Verification shall determine the level of process establishment and associated controls, their operational effectiveness in practice, as well as any weaknesses, deficiencies and risks arising from them. The auditor shall analyze key resources used in IS management, the effectiveness of established organizational and technical IS protection measures against cyber and other security threats, paying particular attention to their properties and parameters as well as the appropriateness of their role in supporting the entity’s operations and achieving IS and overall business objectives. The auditor shall consider the entity’s internal regulations, as well as provisions of relevant statutory and subordinate acts and European Union acts. The auditor shall collect and retain sufficient evidence to substantiate conclusions and findings resulting from the audit process. Upon completion of the audit process, the auditor shall present conclusions and findings to the entity’s responsible persons and obtain their confirmation of facts established during the process, as well as comments on given findings and recommendations.

III. MINIMUM EXPECTATIONS REGARDING THE CONTENT OF INFORMATION SYSTEM QUALITY REPORTS FOR HANFA

  1. General Assessment of the State and Adequacy of Information System Management Based on facts established during the audit process, the auditor shall provide a general assessment of the state and adequacy of IS management in the report. The assessment is descriptive, accompanied by an explanation of the facts on which it is based.

  2. Basic Data on the Implementation of the Audit Procedure The auditor shall include in the report basic data related to the implementation of the audit process, which includes at least: • methodologies, standards and frameworks used in the audit process; • time period during which the audit procedure was conducted; • locations where the audit procedure was carried out; • third parties engaged by the auditor in implementing the audit process, with a description of their role; and • IS management areas that were subject to the audit process.

  3. Description of the Information System The auditor shall list and briefly describe key elements of the entity’s IS, which includes at least: • structure of organizational units responsible for IS management and distribution of duties within them; • risk management system and internal controls related to IS; • technological basis of the IS, such as personal and server computers, network and telecommunications equipment, operating systems, application and database servers, email servers, file servers and others; • applications used to support business operations; • locations of server rooms; • external ICT service providers and their roles in IS functioning; • organizational and technical IS protection measures; and • business continuity plans and IS recovery plans.

  4. Identified Weaknesses, Non-conformities, Deficiencies and Risks of the Information System and Recommendations for Their Remediation The auditor shall list identified IS weaknesses, deficiencies and risks in the report and provide recommendations for their remediation, taking into account the following: • Identified weaknesses, non-conformities, deficiencies and risks, as well as recommendations for their remediation, shall be clearly separated in the report text from other sections, such as IS descriptions, identified weaknesses/non-conformities/deficiencies and risks, recommendations issued during previous audits, etc. • The auditor shall list materially significant weaknesses, non-conformities, deficiencies and risks identified during the audit process, assess them, and explain their impact on the entity’s operations. • The auditor shall clarify the basis for deriving assessment levels of identified weaknesses, non-conformities, deficiencies and risks. • When assessing the levels of identified weaknesses, non-conformities, deficiencies and risks, the auditor shall consider the principles of proportionality and materiality. • For materially significant weaknesses, non-conformities, deficiencies and risks, the auditor shall provide recommendations for activities and deadlines for their remediation. • For given recommendations, the auditor shall obtain and document comments from the entity’s responsible persons regarding acceptance or non-acceptance of recommendations, with justification.

  5. Review of the Status of Implementation of Recommendations for Remediation of Identified Weaknesses, Non-conformities, Deficiencies and Risks Issued During the Audit Conducted in the Previous Period The auditor shall include a review of the entity’s procedures regarding recommendations issued during audits conducted in the previous period, taking into account the following: • The auditor shall individually list all recommendations issued during audits conducted in the previous period, along with their current implementation status and a description of activities undertaken if recommendations were fully or partially implemented. • The implementation status of recommendations issued during audits conducted in the previous period shall be clearly separated in the text from other sections, such as IS descriptions, identified weaknesses/non-conformities/deficiencies and risks, recommendations issued during the current audit, etc.

IV. TRANSITIONAL AND FINAL PROVISIONS These Guidelines are published on Hanfa’s website and enter into force upon publication. Upon entry into force of these Guidelines, the Guidelines for the Implementation of Information System Audits by Audit Firms for Supervised Entities dated 7 February 2014 cease to apply. CLASS: 011-01/22-07/01 REGISTRATION NO.: 326-01-25-22-1 Zagreb, 21 December 2022. CHAIRMAN OF THE MANAGEMENT BOARD Dr. sc. Ante Žigman

Share