The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 The purpose of this guideline is to address the independence of the IS audit and assurance function in the enterprise. Three important aspects are considered:
- The position of the IS audit and assurance function within the enterprise
- The level to which the IS audit and assurance function reports to within the enterprise
- The performance of non-audit services within the enterprise by IS audit and assurance management and IS audit and assurance professionals
1.1.2 This guideline provides guidance on assessing organisational independence and details the relationship between organisational independence and the audit charter and audit plan.
1.1.3 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1001 Audit Charter
1.2.2 Standard 1002 Organisational Independence
1.2.3 Standard 1003 Professional Independence
1.2.4 Standard 1004 Reasonable Expectation
1.2.5 Standard 1006 Proficiency
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key IS audit and assurance engagement topics:
1.1 Position in the enterprise
1.2 Reporting level
1.3 Non-audit services
1.4 Assessing independence
1.5 Audit charter and audit plan
2.1 Position in the Enterprise
2.1.1 To enable organisational independence, the audit function needs to have a position in the enterprise that allows it to perform its responsibilities without interference. This can be achieved by:
2.1.2 The audit function should avoid performing non-audit roles in IS initiatives that require assumption of management responsibilities, because such roles could impair future independence. The independence and accountability of the audit function should be addressed in the audit charter, as described in Standard 1001 Audit Charter.
- Establishing the audit function in the audit charter as an independent function or department, outside of the operational departments. The audit function should not be assigned any operational responsibilities or activities.
- Ensuring that the audit function reports to a level within the enterprise that allows it to achieve organisational independence. Reporting to the head of an operational department could compromise organisational independence, as described in more detail in section 2.2.
2.2 Reporting Level
2.2.1 The audit function should report to a level within the enterprise that allows it to act with complete organisational independence. The independence should be defined in the audit charter and confirmed by the audit function to the board of directors and those charged with governance on a regular basis, at least annually.
2.2.2 To ensure organisational independence of the audit function, the following should be reported to those charged with governance (e.g., the board of directors) for their input and/or approval:
2.2.3 To ensure organisational independence of the audit function, explicit support is needed from both the board and executive management.
- The audit resource plan and budget
- The (risk-based) audit plan
- Performance follow-up performed by the audit function on the IS audit activity
- Follow-up of significant scope or resource limitations
2.3 Non-audit Services
2.3.1 In many enterprises, the expectation of management and IS staff is that the audit function may be involved in providing non-audit services. This involves, full-time or part-time, participation of the professionals in IS initiatives and IS project teams to provide advisory or consultative capabilities.
2.3.2 Activities that are routine and administrative or involve matters that are insignificant generally are deemed not to be management responsibilities and, therefore, would not impair independence. Non-audit services that would also not impair independence or objectivity, if adequate safeguards are implemented, include providing routine advice on information technology risk and controls.
2.3.3 The following non-audit services are considered to impair independence and objectivity, because the threats created would be so significant that no safeguards could reduce them to an acceptable level:
- Assuming management responsibilities or performing management activities
- Material involvement of professionals in the supervision or performance of designing, developing, testing, installing, configuring or operating information systems that are material or significant to the subject matter of the audit or assurance engagement
- Designing controls for information systems that are material or significant to the subject matter of current or planned future audit engagements
- Serving in a governance role where the professionals are responsible for either independently or jointly making management decisions or approving policies and standards
- Providing advice that forms the primary basis of management decisions
2.3.4 Providing non-audit services in areas that currently are, or in the future will be, the subject matter of an audit engagement also creates threats to independence that would be difficult to overcome with safeguards. In this situation, the perception may be that both the independence and objectivity of the audit function and professionals have been impaired by performing non-audit services in that specific area. The audit function and professionals should determine if adequate safeguards can be implemented to sufficiently mitigate these actual or perceived threats to independence.
2.3.5 More detailed guidance on dealing with these independence threats can be found in Standard 1003 Professional Independence and the related Guideline 2003.
2.4 Assessing Independence
2.4.1 Independence should be assessed regularly by the audit function and professionals. This assessment needs to occur on an annual basis for the audit function and prior to each engagement for professionals, as described in Standard 1003 Professional Independence. The assessment should consider factors such as:
2.4.2 The audit function needs to disclose p ossible issues related to organisational independence and discuss them with the board of directors or those charged with governance. A resolution needs to be found and confirmed in the audit charter or audit plan.
- Changes in personal relationships
- Financial interests
- Prior job assignments and responsibilities
2.5 Audit Charter and Audit Plan
2.5.1 The audit charter should detail, under the aspect ‘responsibility’, the implementation of organisational independence of the audit function. Next to detailing independence, the audit charter should also include possible impairments to independence.
2.5.2 Organisational independence should also be reflected in the audit plan. The audit function needs to be able to determine the scope of the plan independently, without restrictions being imposed by executive management.
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
3.1 Linkage to Standards
The table provides an overview of:
Note: Only those standard statements relevant to this guideline are listed.
- The most relevant ISACA IS audit and assurance standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Relevant Standard Statements
|1001 Audit Charter
||The IS audit and assurance function shall document the audit function appropriately in an audit charter, indicating purpose, responsibility, authority and accountability. |
The IS audit and assurance function shall have the audit charter agreed upon and approved at an appropriate level within the enterprise.
|1002 Organisational Independence
||The IS audit and assurance function shall be independent of the area or activity being reviewed to permit objective completion of the audit and assurance engagement. |
|1003 Professional Independence
||IS audit and assurance professionals shall be independent and objective in both attitude and appearance in all matters related to audit and assurance engagements. |
|1004 Reasonable Expectation
||IS audit and assurance professionals shall have reasonable expectation that the scope of the engagement enables conclusion on the subject matter and addresses any restrictions.|
||IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate skills and proficiency in conducting IS audit and assurance engagements and be professionally competent to perform the work required.|
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
- COBIT 5 processes
- COBIT 5 process purpose
COBIT 5 Process
|EDM01 Ensure governance framework setting and maintenance.
||Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise's strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for board members are met.|
|APO01 Manage the IT management framework.
||Provide a consistent management approach to enable the enterprise governance requirements to be met, covering management processes, organisational structures, roles and responsibilities, reliable and repeatable activities, and skills and competencies. |
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.|
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance when considered necessary. This could be from IS audit and assurance:
- Colleagues within and/or outside the enterprise, e.g., through professional associations or professional social media groups
- Governance bodies within the enterprise, e.g., audit committee
- Other professional guidance (e.g., books, papers, other guidelines)
||The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional and organisational levels. Independence includes independence of mind and independence in appearance. |
||The ability to exercise judgement, express opinions and present recommendations with impartiality.|
5. Effective Date
5.1 Effective Date
This guideline is effective for all IS audit and assurance engagements beginning on or after 1 September 2014.