Standards, Statements, Guidelines

The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of ISACA® is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are cornerstones of the ISACA professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance:

Standards define mandatory requirements for IS auditing and reporting. They inform:

IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors
Management and other interested parties of the profession’s expectations concerning the work of practitioners
Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action.

Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

COBIT resources should be used as a source of best practice guidance. Each of the following is organised by IT management process, as defined in the COBIT Framework. COBIT is intended for use by business and IT management as well as IS auditors, therefore its usage enables the understanding of business objectives and communication of best practices and recommendations, to be made around a commonly understood and well-respected standard reference. COBIT includes:

Control Objectives—High-level and detailed generic statements of minimum good control
Control Practices—Practical rationales and how-to-implement guidance for the control objective
Audit Guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance, and substantiate the risk of controls not being met
Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors

These documents are available for download on our web site, www.isaca.org. The titles of issued documents are:

IS Auditing Standards

S1 Audit Charter Effective 1 January 2005
S2 Independence Effective 1 January 2005
S3 Professional Ethics and Standards Effective 1 January 2005
S4 Professional Competence Effective 1 January 2005
S5 Planning Effective 1 January 2005
S6 Performance of Audit Work Effective 1 January 2005
S7 Reporting Effective 1 January 2005
S8 Follow-up Activities Effective 1 January 2005

IS Auditing Guidelines

G1 Using the Work of Other Auditors and Experts Effective 1 June 1998
G2 Audit Evidence Requirement Effective 1 December 1998
G3 Use of Computer Assisted Audit Techniques (CAATs) Effective 1 December 1998
G4 Outsourcing of IS Activities to Other Organisations Effective 1 September 1999
G5 Audit Charter Effective 1 September 1999
G6 Materiality Concepts for Auditing Information Systems Effective 1 September 1999
G7 Due Professional Care Effective 1 September 1999
G8 Audit Documentation Effective 1 September 1999
G9 Audit Considerations for Irregularities Effective 1 March 2000
G10 Audit Sampling Effective 1 March 2000
G11 Effect of Pervasive IS Controls Effective 1 March 2000
G12 Organisational Relationship and Independence Effective 1 September 2000
G13 Use of Risk Assessment in Audit Planning Effective 1 September 2000
G14 Application Systems Review Effective 1 November 2001
G15 Planning Revised Effective 1 March 2002
G16 Effect of Third Parties on an Organisation’s IT Controls Effective 1 March 2002
G17 Effect of Nonaudit Role on the IS Auditor’s Independence Effective 1 July 2002
G18 IT Governance Effective 1 July 2002
G19 Irregularities and Illegal Acts Effective 1 July 2002
G20 Reporting Effective 1 January 2003
G21 Enterprise Resource Planning (ERP) Systems Review Effective 1 August 2003
G22 Business-to-consumer (B2C) E-commerce Reviews Effective 1 August 2003
G23 System Development Life Cycle (SDLC) Reviews Effective 1 August 2003
G24 Internet Banking Effective 1 August 2003
G25 Review of Virtual Private Networks Effective 1 July 2004
G26 Business Process Reengineering (BPR) Project Reviews Effective 1 July 2004
G27 Mobile Computing Effective 1 September 2004
G28 Computer Forensics Effective 1 September 2004
G29 Post-implementation Review Effective 1 January 2005
G30 Competence Effective 1 June 2005
G31 Privacy Effective 1 June 2005

IS Auditing Procedures

P1 IS Risk Assessment Measurement Effective 1 July 2002
P2 Digital Signatures and Key Management Effective 1 July 2002
P3 Intrusion Detection Systems (IDS) Review Effective 1 August 2003
P4 Malicious Logic Effective 1 August 2003
P5 Control Risk Self-assessment Effective 1 August 2003
P6 Firewalls Effective 1 August 2003
P7 Irregularities and Illegal Acts Effective 1 December 2003
P8 Security Assessment—Penetration Testing and Vulnerability Analysis Effective 1 Septtember 2004
P9 Evaluation of Management Controls Over Encryption Methodologies Effective 1 January 2005

Standards for Information System Control Professionals

510	Statement of Scope
510	.010 Responsibility, Authority and Accountability
520	Independence
	.010 Professional Independence
	.020 Organisational Relationship
530	Professional Ethics and Standards
	.010 Code of Professional Ethics
	.020 Due Professional Care
540	Competence
	.010 Skills and Knowledge
	.020 Continuing Professional Education
550	Planning
550	.010 Control Planning
560	Performance of Work
	.010 Supervision
	.020 Evidence
	.030 Effectiveness
570	Reporting
570	.010 Periodic Reporting
580	Follow-Up Activities
580	.010 Follow-Up

Code of Professional Ethics Revised May 2003

ISACA® 2004-2005 Standards Board

Chair, Sergio Fleginsky, CISA	ICI Paints, Uruguay
Svien Aldal	Aldal Consulting, Norway
John W. Beveridge, CISA, CISM, CFE, CGFM, CQA	Commonwealth of Massachusetts, USA
Claudio Cilli, Ph.D., CISA, CISM, CIA, CISSP	Tangerine Consulting, Italy
Christina Ledesma, CISA, CISM	Citibank NA Susursal, Uruguay
Andrew J. MacLeod, CISA, CIA, FCPA, PCP	Brisbane City Council, Australia
V. Meera, CISA, CISM, CWA, ACS	Microsoft Corporation, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA	Ikanos Communications, India
John G. Ott, CISA, CPA	AmerisourceBergen, USA
Tom Thompson, CISA	Ernst & Young, UAE

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

www.isaca.org

INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2006


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC

World Congress: INSIGHTS	Training Week	Webinars
North America CACS	eLearning Campus	Virtual Conferences
EuroCACS / ISRM	On-Site Training
Governance, Risk and Control	Exam Review Courses	COBIT EDUCATION
North America ISRM
Latin America CACS / ISRM
Oceania CACS
Asia-Pacific CACS / ISRM


COBIT 5 Home
Product Family
Training & Accreditation
Licensing
Join the Conversation
News
Recognition
FAQs