Risk & Control Frameworks

Frameworks for your industry, risk, or regulatory area.

Get your content suite now

Contact us now for a no obligation review of how content suites can accelerate your ACL experience

Ensure regulatory compliance. Track key control performance. Mitigate strategic risk.

Whether you work in government, higher education, banking and lending, IT, finance, or commercial business, you can quickly and easily apply industry best practices to assure control effectiveness.

We’ve compiled these ready-to-use risk and control matrices to help you identify and implement the frameworks that matter most to your business. This allows you to spot and address strategic risks that could prevent you from meeting your objectives.

Risk & Control Frameworks by Content Suite

Banking & Lending

ACL’s content helps increase the value you bring to your organization by providing a lens on emerging risk while staying on top of the latest regulatory requirements. It’s a platform for you to intelligently manage and execute on your strategic agenda. No matter if you’re a bank or credit union, we’ve curated content toolkits to facilitate cross-collaboration between your three lines of defense. In no time, they’ll be speaking one common language and using a common taxonomy.

  • Last updated May 15, 2018

    The CFPB Electronic Funds Transfer Act (EFTA) 2013 Framework is designed to assist auditors in testing the controls within their organization against compliance with the Electronic Funds Transfer Act. The framework includes a set of controls and test plans built from guidance provided by the CFPB.
  • Last updated February 8, 2018

    The Equal Credit Opportunity Act (ECOA) prohibits discrimination in any aspect of a credit transaction. It applies to any extension of credit, including extensions of credit to small businesses, corporations, partnerships, and trusts. The Consumer Financial Protection Bureau’s (CFPB) Regulation B, found at 12 CFR Part 1002, implements ECOA. Regulation B describes lending acts and practices that are specifically prohibited, permitted, or required.
  • Last updated February 8, 2018

    The Gramm-Leach-Bliley Act (GLBA) governs the treatment of non-public personal information about consumers by financial institutions, and establishes rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information. The Consumer Financial Protection Bureau’s (CFPB) Regulation P, found at 12 CFR Part 1016, implements GLBA.
  • Last updated February 8, 2018

    The Home Mortgage Disclosure Act (HMDA) requires lenders to report the ethnicity, race, gender, and gross income of mortgage applicants and borrowers to help show whether financial institutions are serving the housing credit needs of the neighborhoods and communities in which they are located, and to assist in identifying possible discriminatory lending patterns and enforcing anti-discrimination statutes. The Consumer Financial Protection Bureau’s (CFPB) Regulation C, found at 12 CFR Part 1003, implements HMDA.
  • Last updated February 8, 2018

    The InTREx Program is an enhanced, risk-based approach for conducting IT examinations. The Program helps to ensure that financial institution management promptly identifies and effectively addresses IT and cybersecurity risks.

    Federal Deposit Insurance Corporation (FDIC) 2016. As a work of the U.S. government, this product is not subject to copyright protection.

    Note: Use of the FDIC data labels does not constitute an endorsement, recommendation, or favoring by the U.S. government or the FDIC, nor has the FDIC partnered with ACL Services Ltd. on this publication.
  • Last updated May 1, 2018

    This regulation is available in ACL's compliance library for organizations seeking to demonstrate coverage over FDIC Servicemember Civil Relief Act (SCRA) 2016 Framework. Organizations can tie their internal controls, provide rationalization, and report any compliance audit issues related this regulation.
  • Last updated February 8, 2018

    The Bank Secrecy Act (BSA) is legislation that requires U.S. financial institutions to collaborate with the U.S. government in cases of suspected fraud or money laundering. It requires financial institutions to maintain records of transactions and file reports of suspicious activity.

    U.S. Department of Treasury - Office of the Comptroller of the Currency (OCC): Bank Secrecy Act (BSA). As a work of the U.S. government, this product is not subject to copyright protection.

    Federal Financial Institutions Examination Council (FFIEC) 2014: Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, State Liaison Committee. As a work of the U.S. government, this product is not subject to copyright protection.

    Note: Use of the FFIEC data labels does not constitute an endorsement, recommendation, or favoring by the U.S. government or the FFIEC, nor has the FFIEC partnered with ACL Services Ltd. on this publication.
Learn more about this content suite

Governments & Higher Education

As a GRC professional, you’re constantly challenged to do more with less. Whether you’re assuring regulatory compliance, managing your organization's evolving risk landscape or protecting against fraud, waste and abuse, we can help. Drawing on decades of experience working with hundreds of governments and educational institutions, ACL is positioned to help you achieve your GRC goals. The toolkits below include an integrated library of standards and regulations and resources to help make your job easier.

  • Last updated February 8, 2018

    This AGA Risk Assessment Monitoring Tool is the result of an intergovernmental partnership established by AGA in cooperation with the US Office of Management and Budget. It is intended to provide states with a method for assessing subrecipient risk and to be applicable across federal granting authorities, as well as across monitoring authorities. AGA Partnership for Intergovernmental Management and Accountability (February 2009). The Financial and Administrative Monitoring Tool is available on AGA’s website at https://www.agacgfm.org/Resources.aspx. This content is provided courtesy of AGA.
  • The GAGAS Agreed Upon Procedures (GAO 2011) standard is available in ACL's compliance library for organizations seeking to demonstrate coverage over SSAE16/18 SOC 2. Organizations can tie their internal controls, provide rationalization, and report any compliance audit issues related to this standard.
  • The GAGAS Financial Audit (GAO 2011) standard is available in ACL's compliance library for organizations seeking to demonstrate coverage over SSAE16/18 SOC 2. Organizations can tie their internal controls, provide rationalization, and report any compliance audit issues related to this standard.
  • The GAGAS Performance Audit (GAO 2011) standard is available in ACL's compliance library for organizations seeking to demonstrate coverage over SSAE16/18 SOC 2. Organizations can tie their internal controls, provide rationalization, and report any compliance audit issues related to this standard.
Learn more about this content suite

IT Governance

With thousands of industry standards, internal policies, or regulatory requirements, keeping on top of compliance can be daunting. Add in an increasing risk of penalties, brand damage, and the threat of being held personally liable … and it’s overwhelmingly clear how important it is to maintain updated and accurate compliance records. ACL’s curated content subscription integrates common frameworks and automated updates for IT risk & compliance management, making it easy for you to minimize risk exposure and collaborate with your front line.

  • Last updated May 2, 2018

    The COBIT® 5 Risk & Control Framework includes the controls and activities for IT and audit professionals to assess their organization's progress towards implementing the COBIT 5 framework.
  • Last updated May 2, 2018

    The Cloud Security Alliance® (CSA) Cloud Controls Matrix (CCM) provides organizations with fundamental security principles and a controls framework to guide cloud vendors and prospective customers in assessing the overall security risk of a cloud provider. © Copyright 2015-2016 Cloud Security Alliance - All rights reserved.
  • Last updated May 7, 2018

    The ISACA Data Protection Impact Assessment 2017 Framework includes the controls and activities for IT and audit professionals to assess their organization's progress towards implementing the framework.
  • Last updated May 2, 2018

    The ISO/IEC 27002:2013 Information Technology Framework includes the controls and activities for IT and audit professionals to assess their organization's progress towards implementing the framework.
  • Last updated April 18, 2018

    The NIST Framework for Improving Critical Infrastructure Cybersecurity enables organizations to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework uses common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. Because it references globally recognized standards for cybersecurity, the Framework can be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure.

    U.S. Department of Commerce: National Institute of Standards and Technology (NIST). NIST publications are all freely available for download at http://csrc.nist.gov/. As a work of the U.S. government, this product is not subject to copyright protection.
  • Last updated February 8, 2018

    The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). Although the Federal Information Security Management Act (FISMA) applies to all federal agencies and all information types, only a subset of agencies are subject to the HIPAA Security Rule based on their functions and use of EPHI. All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.

    U.S. Department of Commerce: National Institute of Standards and Technology (NIST). NIST publications are all freely available for download at http://csrc.nist.gov/. As a work of the U.S. government, this product is not subject to copyright protection.
Learn more about this content suite

Subscription Value

It’s a challenge to understand where risk may exist in material processes across your organization. With literally hundreds of frameworks and even more requirements, where do you even begin to determine the most recent industry framework to use and the most effective controls to implement to illuminate your risks? What you need is a simple way to apply best practice analytics or implement common industry frameworks (i.e., COSO, COBIT).

With ACL’s Subscription Value Suite, we can help you get off the ground faster. Draw on the experience of ACL and our vast community of users to leverage proven tools and industry-rich knowledge you won’t find anywhere else. Find ready-to-use regulatory standards and frameworks, pre-built analytic scripts and more. There’s no easier path to helping your organization instantly drive performance and make the right strategic decisions.

  • ACL project templates are pre-built projects that serve as starting points for building projects. As every project is different, additional customization may be required.
Learn more about this content suite

Not what you were looking for? Explore more content types

Strategic Risk Libraries

  • Enterprise Risk Libraries
  • Financial Services - Banks & Lending Enterprise Risks
  • Healthcare - Providers Enterprise Risks
  • And more

Standards & Regulations

  • AICPA Trust Security Criteria 2016 - SSAE 16/18 SOC 2
  • AICPA Trust Security Criteria 2017 - SSAE 16/18 SOC 2
  • Availability of Funds and Collection of Checks - 12 CFR 229 (FRB Regulation CC)
  • And more

Analysis Apps

  • ACH Data Import and Preparation Scripts
  • ACL Academy Online Training
  • ACL Essentials - Accounts Payable
  • And more