CPL-02.1: Internal Audit Function

CPL 5 — Medium Detect

Mechanisms exist to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of the organization's technology and information governance processes.

Control Question: Does the organization implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of its technology and information governance processes?

General (20)

Framework	Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source)	CC4.1-POF1 CC4.1-POF2 CC4.1-POF3 CC4.1-POF4 CC4.1-POF5 CC4.1-POF6 CC4.1-POF7 CC4.1-POF8
COBIT 2019	APO02.04 MEA02.01 MEA02.02 MEA02.03 MEA02.04 MEA04.01 MEA04.02 MEA04.03 MEA04.04 MEA04.05 MEA04.06 MEA04.07 MEA04.08 MEA04.09
COSO 2017	Principle 19 Principle 20
CSA CCM 4	A&A-02 A&A-03 A&A-05 CEK-09 LOG-10
CSA IoT SCF 2	GVN-04
ISO/SAE 21434 2021	RQ-05-17
ISO 22301 2019	9.2 9.2.1 9.2.2
ISO 27001 2022 (source)	9.2 9.2.1 9.2.1(a)(1) 9.2.1(a)(2) 9.2.1(b) 9.2.2 9.2.2(a) 9.2.2(b) 9.2.2(c)
ISO 27002 2022	5.35 8.34
ISO 27017 2015	12.7.1
ISO 27701 2025	9.2.1 9.2.1(a) 9.2.1(b)
ISO 29100 2024	6.12
ISO 42001 2023	9.2.1 9.2.1(a) 9.2.1(a)(1) 9.2.1(a)(2) 9.2.1(b) 9.2.2 9.2.2(a) 9.2.2(b) 9.2.2(c)
NIST 800-171 R2 (source)	3.12.1
NIST 800-171 R3 (source)	03.12.01
NIST 800-171A R3 (source)	A.03.12.01.ODP[01]
TISAX ISA 6	1.5.1 5.2.6
SCF CORE Mergers, Acquisitions & Divestitures (MA&D)	CPL-02.1
SCF CORE ESP Level 2 Critical Infrastructure	CPL-02.1
SCF CORE ESP Level 3 Advanced Threats	CPL-02.1

US (6)

Framework	Mapping Values
US CMMC 2.0 Level 2 (source)	CA.L2-3.12.1
US CMMC 2.0 Level 3 (source)	CA.L2-3.12.1
US FCA CRM	609.930(c)(6)
US - CA CCPA 2025	7122(a)(3)
US - NV NOGE Reg 5	5.260.5(b)
US - VT Act 171 of 2018	2447(b)(2)(C) 2447(b)(8) 2447(b)(8)(A)

EMEA (7)

Framework	Mapping Values
EMEA EU EBA GL/2019/04	3.3.1(11) 3.3.6(25)
EMEA EU NIS2 Annex	2.3.2
EMEA Saudi Arabia CSCC-1 2019	1-4-2 2-13-4
EMEA Saudi Arabia ECC-1 2018	1-8-1 1-8-3
EMEA Saudi Arabia SAMA CSF 1.0	3.2.5
EMEA Spain BOE-A-2022-7191	31.1 31.2 31.3 31.4 31.5 31.6 31.7 41.1 41.2
EMEA Spain 311/2022	31.1 31.2 31.3 31.4 31.5 31.6 31.7 41.1 41.2

APAC (8)

Framework	Mapping Values
APAC Australia Prudential Standard CPS230	46 60
APAC Australia Prudential Standard CPS234	31 32 33 34 34(a) 34(b)
APAC China Privacy Law	54
APAC India DPDPA 2023	10(2)(b)
APAC Japan ISMAP	4.6.2 4.6.2.2 4.6.2.3 12.7.1
APAC New Zealand HISF 2022	HHSP67 HML66 HSUP58
APAC New Zealand HISF Suppliers 2023	HSUP58
APAC Singapore MAS TRM 2021	15.1.1 15.1.2 15.1.3 15.1.4

Americas (3)

Framework	Mapping Values
Americas Bermuda BMACCC	5.4 5.6
Americas Canada CSAG	6.17 6.18 6.19 6.20
Americas Canada ITSP-10-171	03.12.01

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of its technology and information governance processes.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of its technology and information governance processes.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of its technology and information governance processes.

Level 3 — Well Defined

Compliance (CPL) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures data/process owners understand their requirements to manage applicable cybersecurity and data protection controls through oversight and written guidance. o Provides applicable stakeholders with status reports on control execution to enable security controls oversight. o Works with data/process owners and asset custodians to document and validate the scope of cybersecurity and data protection controls to ensure statutory, regulatory and/ or contractual compliance obligations are met. o Conducts cybersecurity and data privacy control assessments, on a regular cadence that is defined by the applicable statutory, regulatory and contractual requirements.

A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to ensure compliance requirements are identified and documented.
The GRC function, or similar function:
Cybersecurity and data privacy controls are centrally managed through a technology solution (e.g., GRC solution) to assign controls, track control activities and report on compliance efforts.
An assessor from within a GRC function, or similar function, is selected or a third-party assessor is contracted to perform an independent assessment of cybersecurity and data protection controls.

Level 4 — Quantitatively Controlled

Compliance (CPL) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
Both business and technical stakeholders are involved in reviewing and approving proposed changes.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to implement an internal audit function that is capable of providing senior organization management with insights into the appropriateness of its technology and information governance processes.

Assessment Objectives

CPL-02.1_A01 an internal audit function exists that is comprised of stakeholders who have the subject matter expertise to serve in an advisory capability on audit-related matters.
CPL-02.1_A02 an internal audit function formally defines audit-related priorities for the organization.
CPL-02.1_A03 an internal audit function tracks audit findings that require remediation efforts.
CPL-02.1_A04 an internal audit function provides the organization's executive leadership with insights into the appropriateness of the organization's technology and information governance processes.
CPL-02.1_A05 the frequency at which to assess the security requirements for the system and its environment of operation is defined.

Evidence Requirements

E-CPL-04 Internal Audit (IA): Documented evidence of an Internal Audit (IA) capability.
Compliance
E-CPL-07 Control Assessments: Documented evidence of internal or third-party control assessments to provide governance oversight of cybersecurity & data privacy controls.
Compliance

Technology Recommendations

Micro/Small

Internal audit program

Small

Internal audit program

Medium

Internal audit program

Large

Internal audit program

Enterprise

Internal audit program