The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of ISACA®, is therefore to advance globally applicable standards to meet this need. The development and dissemination of IS auditing standards are a cornerstone of the ISACA professional contribution to the audit community. Holders of the Certified Information Systems Auditor™ (CISA®) designation are to comply with IS Auditing Standards adopted by ISACA. Failure to comply with these standards may result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action.
Objectives: The objectives of the ISACA's IS Auditing Standards are to inform
- IS Auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS Auditors
- Management and other interested parties of the profession's expectations concerning the work of practitioners
Scope and Authority of IS Auditing Standards The framework for the ISACA's IS Auditing Standards provides for multiple levels of guidance:
- Standards define mandatory requirements for IS auditing and reporting.
- Guidelines provide guidance in applying IS Auditing Standards. The IS Auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure.
- Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same results. In determining the appropriateness of any specific procedure, groups of procedures or test, the IS auditor should apply their own professional judgment to the specific circumstances presented by the particular information systems or technology environment. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements.
These documents are available for download on our web site, www.isaca.org. The titles of issued documents are:
IS Auditing Standards Effective 25 July 1997
IS Auditing Guidelines
010 Audit Charter Revised Effective 1 January 2004
.010 Responsibility, Authority and Accountability
.010 Audit Charter Effective 1 September 1999
.020 Outsourcing of IS Activities to Other Organisations
Effective 1 September 1999
020 Independence
.010 Professional Independence
.010 Effect of Nonaudit Role on the IS Auditor's
Independence Effective 1 July 2002
Also see 020.020.010 Organisational Relationship and Independence
.020 Organisational Relationship
.010 Organisational Relationship and Independence
Effective 1 September 2000
Also see: 020.010.010 Effect of Nonaudit Role on the IS Auditor's
Independence
.020 Internet Banking Effective 1 August 2003
Also see: 020.010.010 Effect of Nonaudit Role on the IS Auditor's
Independence, 060.020.090 Business-to-consumer E-commerce Reviews Guideline
030 Professional Ethics and Standards
.010 Code of Professional Ethics
.010 Irregularities and Illegal Acts Effective 1 July 2002
.020 Due Professional Care
Also see: 030.020.020 Due Professional Care; 020.020.010 Organisational
Relationship and Independence
.010 Audit Considerations for Irregularities Effective 1 March 2000
.020 Due Professional Care Effective 1 September 1999
Also see: 060.020.070 Use of Computer Assisted Audit Techniques (CAATs);
030.010.010 Irregularities and Illegal Acts
040 Competence
.010 Skills and Knowledge
.020 Continuing Professional Education
050 Planning
.010 Audit Planning
.010 Materiality Concepts for Auditing Information Systems Effective
1 September 1999
.020 Planning Effective 1 March 2002
.030 Use of Risk Assessment in Audit Planning Effective 1 September 2000
.040 Effect of Third Parties on an Organisation's IT Controls
Effective 1 March 2002
Also see: 030.020.010 Audit Considerations for Irregularities; 010.010.020
Outsourcing of IS Activities to Other Organisations; 060.020.070
Use of Computer Assisted Audit Techniques (CAATs)
060 Performance of Audit Work
.010 Supervision
.010 Enterprise Resource Planning (ERP) Systems Review
Effective 1 August 2003
.020 Evidence
.010 Audit Documentation Effective 1 September 1999
.020 Application Systems Review Effective 1 November 2001
.030 Audit Evidence Requirement Effective 1 December 1998
.040 Audit Sampling Effective 1 March 2000
.050 IT Governance Effective 1 July 2002
.060 Effect of Pervasive IS Controls Effective 1 March 2000
.070 Use of Computer Assisted Audit Techniques (CAATs) Effective 1
December 1998
.080 Using the Work of Other Auditors and Experts Effective 1 June 1998
.090 Business-to-consumer (BC) E-commerce Reviews
Effective 6 August 2003
.091 System Devlepment Life Cycle (SDLC) Reviews
Effective 1 August 2003
.092 Internet Banking
Effective 1 August 2003
Also see: 020.010.010 Effect of Nonaudit Role on the IS Auditor's Independence;
030.020.010 Audit Considerations for Irregularities; 010.010.020 Outsourcing
of IS Activities to Other Organisations; 050.010.030 Use of Risk Assessment in
Audit Planning; 050.010.040 Effect of Third Parties on an Organisation's IT Controls
070 Reporting
.010 Report Content and Form
.010 Reporting Effective 1 January 2003
Also see: 060.020.010 Audit Documentation; 030.020.010 Audit Considerations
for Irregularities
080 Follow-Up Activities
.010 Follow-Up
IS Auditing Procedures
1. IS Risk Assessment Measurement Effective 1 July 2002
2. Digital Signatures Effective 1 July 2002
3. Intrusion Detection Effective 1 August 2003
4. Malicious Logic Effective 1 August 2003
5. Virus and Control Risk Self-assessment Effective 1 August 2003
6. Firewalls Effective 1 August 2003
7. Irregularities and Illegal Acts Effective 1 December 2003
Standards for Information System Control Professionals
Effective 1 September 1999
|
510 |
Statement of Scope |
|
.010 Responsibility, Authority and Accountability |
|
520 |
Independence |
|
.010 Professional Independence |
|
.020 Organisational Relationship |
|
530 |
Professional Ethics and Standards |
|
.010 Code of Professional Ethics |
|
.020 Due Professional Care |
|
540 |
Competence |
|
.010 Skills and Knowledge |
|
.020 Continuing Professional Education |
|
550 |
Planning |
|
.010 Control Planning |
|
560 |
Performance of Work |
|
.010 Supervision |
|
.020 Evidence |
|
.030 Effectiveness |
|
570 |
Reporting |
|
.010 Periodic Reporting |
|
580 |
Follow-Up Activities |
|
.010 Follow-Up |
Code of Professional Ethics Revised May 2003
Exposure Drafts, Exposure period ends 30 November
Revision of IS Auditing Standard 040 Competence
Revision of IS Auditing Standard 070 Reporting
IS Auditing Guideline Business Process Reengineering Project Reviews
IS Auditing Guideline Review of Virtual Private Networks
IS Auditing Procedure Penetration Testing and Vulnerability Analysis
ISACA® 2003-2004 Standards Board
|
Claudio Cilli, Ph.D., CISA, CISM, CIA, CISSP |
KPMG, Italy |
| Svien Aldal |
Scanadavian Business Security AS, Norway |
|
Claude Carter, CISA, CA |
Auditor General's Office of Nova Scotia, Canada |
|
Sergio Fleginsky, CISA |
PricewaterhouseCoopers, Uruguay |
|
Christina Ledesma, CISA, CISM |
Citibank NA Susursal, Uruguay |
|
Andrew J. MacLeod, CISA, FCPA, MACS, PCP, CIA |
Brisbane City Council, Australia |
| Ravi Muthukrishnan, CISA, FCA, ISCA |
NextLinx India Private Ltd., India |
|
Peter Niblett, CISA, CA, MIIA, FCPA |
Day Neilson, Australia |
|
John G. Ott, CISA, CPA |
Aetna, Inc., USA |