Rule 80-12-5-.02 - Independent Audits(1) Every MALPB shall have an audit of its books and records performed at least annually by independent public accountants in accordance with generally accepted auditing standards. The audit must be of sufficient scope to enable the auditor to render an opinion on the financial statements of the MALPB; provided, however, that, upon request by the MALPB, the Department may approve in writing the use of a consolidated holding company audit. The audit shall include a review of the MALPB's internal controls and such other tests and reviews of the MALPB records as deemed appropriate by the independent auditor, including, but not limited to, adequate testing and review of the MALPB's information technology activities as well as operations and risk management process reviews. The information technology audit shall include, but not be limited to, enhanced perimeter testing in the form of quarterly vulnerability scans of the entire enterprise and an annual penetration test of all external-facing systems, not just those utilized in the performance of merchant acquiring activities. The operations and risk management process reviews shall be in conformity with SSAE-16. The extent of audit work should be clearly defined in engagement letters. Such letters should discuss the scope of the audit, the objectives, resource requirements, audit timeframe and resulting reports. The engagement letter shall also provide that the accountants must make their audit work papers, policies, and procedures available to the Department upon its request.(2) Reports of such audits shall be filed with the Department within thirty (30) days after receipt by the MALPB. The reports shall be accompanied by the engagement letter and, if applicable, the letter to management detailing any reportable conditions discovered during the audit engagement.Ga. Comp. R. & Regs. R. 80-12-5-.02
O.C.G.A. §§ 7-9-3, 7-9-13.
Original Rule entitled "Independent Audits" adopted. F. Dec. 3, 2013; eff. Dec. 23, 2013