"Necessity is the mother of invention."
—Plato, Greek philosopher
One of the single most important issues on the agenda of senior executives and boards today is the effectiveness of internal controls on information technology (IT). With IT becoming more pervasive, technology-based solutions are increasingly replacing manual processes. In addition, to meet the expectations and demands for the right information from shareholders, regulators and other stakeholders, it is critical for automated internal controls to be effective and efficient. This places added onus and great responsibility on assurance professionals to ensure quality, objectivity, consistency and reliability of their IT control assessments.
ISACA's IT Assurance Framework™ (ITAFBy Ravi Muthukrishnan, CISA, CISM, FCA) is designed to meet the continuing need of IT assurance professionals by providing a framework, direction and a single point of reference to host standards, guidelines, tool and techniques to conduct IT assessments. This comprehensive framework for IT audit and assurance professionals is the vision of Marios Damianides, CISA, CISM, CA, CPA, a past international president of ISACA, and was spearheaded by Robert Parker, CISA, CA, CMC, FCA, also a past international president of ISACA. ITAF is a result of their shared passion, and came about only after many hours of effort over two years.
The challenge and goal were to create a comprehensive "one-stop" framework for IT audit and assurance professionals.
What Is ITAF?
ITAF is a comprehensive and good-practice-setting framework that:
- Provides guidance on the design, conduct and reporting of IT audit and assurance assignments
- Defines terms and concepts specific to IT assurance
- Establishes standards that address IT audit and assurance professional roles and responsibilities, knowledge and skills, diligence, conduct, and reporting requirements
The current version of ITAF, published in ITAF™: A Professional Practices Framework for IT Assurance, incorporates existing standards and guidelines of ISACA. The framework allows for new guidance to be indexed properly as it is developed and issued. Designed to be a living document, ITAF is flexible and allows for material such as relevant tools, techniques, white papers and publications to be placed within the framework—in addition to standards and guidelines.
The ITAF project, approved by the ISACA Board of Directors in 2006, was originally conceptualized to address only audit and assurance standards, as that is where the greatest need had been identified. As the IT audit and assurance standards were developed and the project matured, additional needs were identified, including the development of the ITAF taxonomy to encompass the body of knowledge with which the IT audit and assurance professional must be aware. Accordingly, the initial taxonomy was designed and presented to ISACA's Assurance Committee and Standards Board in late 2006. Since then, ITAF has been subjected to a variety of input and due diligence processes. Throughout these processes the issues raised and guidance provided by members of the IT audit and assurance profession have proven invaluable in establishing scope, content and direction.
ITAF is a living document. It will evolve as business, technology and assurance practices evolve. It is a document for the profession and will continue to solicit and value the input provided by its constituents and stakeholders.
Who Should Use ITAF?
ITAF is designed primarily for use by individuals who act in the capacity of IT audit and assurance professionals and are engaged in providing assurance over some components of IT systems, applications and infrastructure; however, it can be used by anyone in the assurance profession. The framework is designed to provide benefits to wider audiences including senior management, boards, and users of IT and assurance reports.
ITAF's design recognizes that IT professionals are faced with multiple requirements and types of audit, ranging from IT-focused audit to financial, operational or regulatory requirements. At this time, ITAF is not designed to address specific requirements with respect to consultative and advisory work.
How Is ITAF Organized?
Figure 1 illustrates the basic components of ITAF. These include three categories of standards—general, performance and reporting—as well as guidelines and, finally, tools and techniques:
- General—These are the guiding principles under which the IT assurance profession operates. These apply to the conduct of all assurance assignments, and deal with the IT audit and assurance professional's ethics, independence, objectivity and due care as well as knowledge, competency and skill.
- Performance—These standards deal with the conduct of the assignment such as planning and supervision, scoping, risk and materiality, resource mobilization, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgment and due care.
- Reporting—These standards address the types of reports, means of communication and the information communicated.
- Guidelines—These provide the IT audit and assurance professional with information and direction about an audit or assurance area in line with the three categories of standards. Guidelines focus on the various audit approaches, methodologies and related material to assist in planning, executing, assessing, testing and reporting on IT processes, controls, and related audit or assurance initiatives. Guidelines also help clarify the relationship between enterprise activities and initiatives, and those undertaken by IT.
- Tools and techniques—These provide specific information on various methodologies, tools and templates, and direction in their application and use, to operationalize the information provided in the guidance. The tools and techniques are directly linked to specific guidelines. They take a variety of forms, such as discussion documents, technical direction, white papers, audit programs or books, e.g., the ISACA publication Security, Audit and Control Features SAP® R/3®, 2nd Edition: A Technical and Risk Management Reference Guide, which supports the guideline on enterprise resource planning (ERP) systems.
Due to the diverse global requirement, ITAF has recognized the use of standards established by other global and national standard-setting bodies. As a result, IT audit and assurance professionals may use ISACA standards in conjunction with professional standards issued by other authoritative bodies. It also describes how to deal with inconsistencies, if any, with other standards.
ITAF is divided into four sections:
- 1000—Provides an introduction to ITAF, discusses how to use it, describes the audience and introduces the ISACA Code of Professional Ethics
- 2000—Presents the three categories of standards: general, performance and reporting
- 3000—Introduces the guidelines. In this section, tables provide information in two categories:
- IT processes or IT audit processes—Includes a narrative description of the guideline item, presents information about the subject area and the assurance issues, and provides direction to IT audit and assurance professionals.
- Resources—Provides references to:
- ISACA resources—A list of existing ISACA IS Auditing Standards, IS Auditing Guidelines, and other ISACA and IT Governance Institute (ITGI) publications relevant to the subject matter
- Other resources—A list of relevant material from other standards-setting or regulatory bodies considered appropriate to the guideline's subject matter
- 4000—Establishes the IT audit and assurance tools and techniques as well as other information such as discussion documents, technical direction, white papers, audit programs or detailed books, that provide IT audit and assurance professionals with the detailed guidance needed to accomplish their mission. (This section is in development and will be introduced gradually.)
In line with ITAF's design as a living document, section numbers intentionally include gaps where future information may be inserted. Figure 2 describes how the four sections of ITAF are organized.
The IT assurance or audit process involves the conduct of specific procedures to provide an appropriate level of assurance about the subject matter. IT audit and assurance professionals undertake assignments designed to provide assurance at varying levels, ranging from review to attestation or examination.
Several critical hypotheses are inherent in any IT assurance or audit assignment, including the following:
- The subject matter is identifiable and subject to audit.
- The audit or assurance project, if undertaken, has a significant likelihood of successful completion.
- The audit or assurance approach and methodology are free from bias.
- The IT audit or assurance project is of sufficient scope to meet the audit or assurance objectives.
- The IT audit or assurance project will lead to a report that is objective and will not mislead the reader.
Some of the salient features of ITAF that IT audit and assurance professionals may want to consider in adopting it are:
- Important terms and definitions in section 1800
- Classification and explanation of the level of assurance in section 1800
- Reference to general standards in section 2200
- Reference to performance standards in section 2400
- Reference to reporting standards in section 2600, e.g., figure 3, which specifies the types of reports based on user needs
- Section 3000's detailed references to IT processes, with corresponding mapping to available ISACA and other resources. IT processes are comprehensive and easily understandable. Resources include mapping to appropriate guidelines, COBIT and other publications of ISACA/ITGI. This information is highly valuable to IT assurance professionals seeking a one-stop reference point for their guidance, assistance on types of engagements and an overall framework for their profession.
In reference to the quote of Plato at the beginning of the article, there is a dire need for such a framework for IT audit and assurance professionals; it fills a great void.
Promised to be a living document, it will be interesting to see how this product eventually grows and adopts available technology to make it even more user friendly.
ISACA, ITAF: A Professional Practices Framework for IT Assurance, USA, 2008
1 American Institute of Certified Public Accountants (AICPA), Statement on Auditing Standards (SAS) No. 70, Service Organizations, USA
2 Chartered Accountants of Canada (CICA), Section 5970, Canada
3 Trust Services (including WebTrust and SysTrust) is a set of professional assurance and advisory services based on a common framework from the AICPA and CICA.
Ravi Muthukrishnan, CISA, CISM, FCA
is chief financial officer at Capco IT Services, India, and is currently chair of the ISACA Standards Board. He has been working with the Standards Board since 2003 and is an active member of the ISACA Bangalore Chapter. He can be reached at firstname.lastname@example.org or email@example.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.