IT Audit and Assurance

The specialised nature of information technology (IT) audit and assurance and the skills necessary to perform such audits require standards that apply specifically to IT audit and assurance.

Objectives, Scope and Authority of IT Audit and Assurance Standards

Download Standards, Guidelines, and Tools and Techniques for Audit/Assurance and Control Professionals (2.5M)

Standards

Standards define mandatory requirements for IT audit and assurance. They inform:

IT and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics.
Management and other interested parties of the profession's expectations concerning the work of practitioners
Holders of the Certified Information Systems Auditor (CISA) designation of their requirements. Failure to comply with these standards may result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action.

View Standards >>

Guidelines

The objective of the IT Audit and Assurance Guidelines is to provide guidance and additional information on how to comply with the IT Audit and Assurance Standards.The IT audit and assurance professional should consider these guidelines when implementing, applying and justifying any departure from the Standards.

View Guidelines >>

Tools and Techniques

The tools and techniques documents provide information on how to meet the standards when performing IT audit and assurance work, and provide examples of procedures an IT audit and assurance professional may follow, but do not set requirements. The objective of the IT Audit and Assurance Tools and Techniques is to provide additonal information on how to comply with the IT Audit and Assurance Standards.

View Tools and Techniques >>

Standards Documents Under Exposure

The ISACA Professional Standards Committee is committed to incorporating your input in the preparation of IT Audit and Assurance Standards, Guidelines, and Tools and Techniques.

The Professional Standards Committee issues exposure drafts internationally and welcome interested professionals to review this material and share their views. To participate:

Current Exposure Drafts	Exposure Period Ends
IT Audit and Assurance Standards
There are no Standard drafts for exposure at this time.
IT Audit and Assurance Guidelines
There are no Guideline drafts for exposure at this time.

The Professional Standards Committee also welcomes your assistance in the identification of emerging issues that require new standards products.

Email ISACA's International Office or fax to the attention of the Director of Research, Standards and Academic Relations (+1.847.253.1443).

IT Audit and Assurance Standards, Guidelines, and Tools and Techniques Awaiting Final Approval

Standards Re-evaluation Project issues documents that update existing standards and identify areas where new standards are required.

There are no documents awaiting final approval at this time.

Topics of Guidance in Development

Risk Management Standard

COBIT

Control Objectives for Information and related Technology (COBIT) is an IT governance framework and supporting toolset that allows managers to bridge the gaps among control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout enterprises. It emphasizes regulatory compliance, helps enterprises increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework’s concepts. COBIT is intended for use by business and IT management as well as IT audit and assurance professionals; therefore, its usage enables the understanding of business objectives and communication of good practices and recommendations to be made around a commonly understood and well-respected framework. COBIT is available for download. As defined in the COBIT framework, each of the following related products and/or elements is organized by IT management process:

Control objectives—Generic statements of minimum good control in relation to IT processes
Management guidelines—Guidance on how to assess and improve IT process performance, using maturity models; Responsible, Accountable, Consulted and/or Informed (RACI) charts; goals; and metrics. They provide a management-oriented framework for continuous and proactive control self-assessment specifically focused on:
- Performance measurement
- IT control profiling
- Awareness
- Benchmarking
COBIT Control Practices— Risk and value statements and ‘how to implement’ guidance for the control objectives
IT Assurance Guide—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and substantiate the risk of controls not being met

A glossary of terms is available. The words audit and review are used interchangeably in the IT Audit and Assurance Standards, Guidelines, and Tools and Techniques.

Disclaimer: ISACA has designed this guidance to describe the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his/her own professional judgment to the specific control circumstances presented by the particular systems or IT environment.

Development of Standards, Guidelines, and Tools and Techniques

The ISACA Professional Standards Committee is committed to wide consultation in the preparation of IT Audit and Assurance Standards, Guidelines, and Tools and Techniques. Prior to issuing any documents, the Professional Standards Committee issues exposure drafts internationally for general public comment.

The Professional Standards Committee also seeks consultation with those who possess a special expertise or interest in the topic under consideration. We are an on-going development program that welcomes the input of ISACA members and other interested parties to identify emerging issues requiring new standards.

Suggestions should be:

E-mailed (standards@isaca.org)
Faxed (+1.847.253.1443)
Mailed to: ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008, USA, for the attention of the director of research standards and academic relations.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC


COBIT 5 Home
Product Family
Education and Training
News
Recognition
Join the Conversation
Looking for COBIT 4.1?

ISACA: Serving IT Governance Professionals