The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 The purpose of this guideline is to provide a framework that enables the IS audit and assurance professional to:
- Establish when independence may be, or may appear to be, impaired
- Consider potential alternative approaches to the audit process when independence is, or may appear to be, impaired
- Reduce or eliminate the impact on independence of IS audit and assurance professionals performing non-audit roles, functions and services
- Determine disclosure requirements when required independence may be, or may appear to be, impaired
1.1.2 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1002 Organisational Independence
1.2.2 Standard 1003 Professional Independence
1.2.3 Standard 1005 Due Professional Care
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key IS audit and assurance engagement topics:
2.1 Conceptual framework
2.2 Threats and safeguards
2.3 Managing threats
2.4 Non-audit services or roles
2.5 Non-audit services or roles that do not impair independence
2.6 Non-audit services or roles that do impair independence
2.7 Relevance of independence when providing non-audit services or roles
2.8 Governance of the admissibility of non-audit services or roles
2.1 Conceptual Framework
2.1.1 Many different circumstances or combinations of circumstances may be relevant in assessing threats to independence. It is impossible to define every situation that creates a threat to independence and to specify the appropriate action. Therefore, this guideline establishes a conceptual framework that requires the professional to identify, evaluate and address threats to independence. The conceptual framework approach assists in complying with the independence standards, and it accommodates many variations in circumstances that create threats to independence.
2.1.2 The conceptual framework approach should be applied by professionals to:
- Identify threats to independence.
- Evaluate the significance of the threats identified.
- Apply safeguards, when necessary, to eliminate the threats or reduce them to acceptable levels.
2.1.3 When professionals determine that appropriate safeguards are not available or cannot be applied to eliminate threats or reduce threats to an acceptable level, professionals should eliminate the circumstance or relationship creating the threats, or decline or terminate the audit or assurance engagement. If professionals cannot decline or terminate the engagement, appropriate disclosure of the impairment to independence must be made to those charged with governance and in any report resulting from the engagement.
2.1.4 Professionals should use professional judgement in applying this conceptual framework.
2.1.5 An important aspect when applying the framework is consultation. The IS audit and assurance professional should seek guidance, when considered necessary, from:
- Colleagues inside the enterprise
- Those charged with governance
- Relevant professional organisations
2.1.6 Although there is no requirement for professionals to be independent to perform non-audit services or roles, objectivity is still a professional requirement when performing them. Professionals should consider applying this conceptual framework to identify threats to objectivity, evaluate the significance of the threats and implement appropriate safeguards when performing non-audit services or roles.
2.2 Threats and Safeguards
2.2.1 Threats may be created by a broad range of relationships and circumstances. When a relationship or circumstance creates a threat, such a threat could impair, or could be perceived to impair, professional independence. A circumstance or relationship may create more than one threat to independence. Threats fall into one or more of the following categories:
- Self-interest—The threat that a financial or other interest will influence professional judgement or behaviour inappropriately
- Self-review—The threat that professionals will not appropriately evaluate the results of a previous judgement made or service performed by them or by another individual within the audit function, on which professionals will rely when forming a judgement as part of performing the current engagement
- Advocacy—The threat that professionals will promote an auditee’s position to the point that professional objectivity is compromised
- Familiarity—The threat that due to a long or close relationship with the auditee, professionals will be too sympathetic to the interests of the auditee or will be too accepting of the auditee’s work, views or arguments
- Intimidation—The threat that professionals will be deterred from acting with integrity and objectivity because of actual or perceived pressures, including attempts to exercise undue influence over professionals
- Bias—The threat that professionals will, as a result of political, ideological, social, psychological or other convictions, take a position that is not objective
- Management participation—The threat that results from professionals taking on the role of management or otherwise performing management functions on behalf of the entity undergoing an audit or assurance engagement
2.2.2 Safeguards are controls designed to eliminate threats to independence or to reduce them to an acceptable level. Under the conceptual framework, professionals apply safeguards that address the specific facts and circumstances under which threats to independence exist. In some cases, multiple safeguards may be necessary to address a threat.
Examples of safeguards that can be considered by professionals in response to identified threats are:
- A governance structure at the enterprise and audit function that provides appropriate oversight and communications regarding the IS audit and assurance services to be performed
- Ensuring that professionals (and IS audit management) report to an adequate hierarchical level within the enterprise, preferably those charged with governance
- Internal procedures at the enterprise and audit function that ensure objective choices in assigning engagements, e.g., adequate educational, training and experience requirements, continuing professional development requirements
- Assigning management and staff from outside the audit function, such as borrowing staff from another function, division, external organisation, to supplement professionals
- An adequate system of incentives (rewards and penalties) that rewards professionals for critical and objective thinking and penalises bias or prejudice
- A periodic rotation in IS audit assignments of professionals reducing the degree of familiarity and self-review
- Adequate hiring practices such as background screening and vetting, which could improve the likelihood that professionals are free from bias or self-interest
- Removing an individual from an IS audit team when that individual’s interests or relationships pose a threat to independence
- Appropriate documentation and reporting requirements ensuring that assessment of professional independence is documented in the work papers and consistently reported in deliverables
- Having a professional staff member or management from within the audit function who was not a member of the IS audit team carefully review the work performed
- Assigning an independent resource, from within the audit function or other sources referenced previously, to carry out a peer review or to act as an independent observer during planning, field work and reporting
- Having an external review of the reports, communications or information produced by professionals by a recognised third party, e.g., accepted authority in the field or independent specialist
- Outsourcing the IS audit and assurance engagement to an external service provider
2.3 Managing Threats
2.3.1 Facts and circumstances that create threats to independence can result from events such as the start of a new audit, assignment of new staff to an ongoing audit and acceptance of a non-audit service at an audited entity. Many other events can result in threats to independence. Whenever relevant new information about a threat to independence comes to the attention of professionals during an audit or assurance engagement, they should re-evaluate the significance of the threat in accordance with the conceptual framework.
2.3.2 Professionals should evaluate threats:
- To independence using the conceptual framework when the facts and circumstances under which professionals perform their work may create new threats or increase the significance of existing threats to independence
- Both individually and in the aggregate because threats can have a cumulative effect on professional independence
- Both qualitatively and quantitatively when determining the significance of a threat
2.3.3 The audit function and professionals should determine whether identified threats to independence are at an acceptable level or have been eliminated or reduced to an acceptable level. A threat to independence is not acceptable if it could either:
- Impact a professional’s ability to perform an audit or assurance engagement without being affected by influences that compromise professional judgement
- Expose professionals, audit function or audit organisation to circumstances that would cause a reasonable and informed third party to conclude that the integrity, objectivity or professional scepticism of the audit organisation, or a member of the IS audit and assurance team, had been compromised
2.3.4 When the audit function and professionals identify threats to independence and, based on an evaluation of those threats, determine that the threats are not at an acceptable level, they should:
- Determine whether appropriate safeguards are available and can be applied to eliminate the threats or reduce them to acceptable levels.
- Exercise professional judgement in making that determination, and should take into account whether both independence of mind and independence in appearance are maintained.
- Seek guidance from appropriate parties, as described in 2.1.5, to identify and apply appropriate safeguards.
2.3.5 Documentation provides evidence of professionals’ judgements in forming conclusions regarding compliance with independence requirements.
2.3.6 Professionals should document conclusions regarding compliance with independence requirements and the substance of any relevant discussions with audit management and, if necessary, those charged with governance, that support those conclusions, including the:
- The steps that were taken to analyse the nature of independence
- The actual nature of the independence issue
- List and description of threats
- The final conclusion reached
- Safeguards in place to eliminate or reduce the threats to an acceptable level
2.4 Non-audit Services or Roles
2.4.1 In many enterprises, the expectation of management, IS staff and internal audit is that professionals may be involved in providing non-audit services or roles such as:
- Defining IS strategies relating to areas such as technology, applications and resources
- Evaluating, selecting and implementing technologies
- Evaluating, selecting, customising and implementing third-party IS applications and solutions
- Designing, developing and implementing custom-built IS applications and solutions
- Establishing good practices, policies and procedures relating to various IT functions
- Designing, developing, testing and implementing IT security and IT controls
- Managing IT projects
2.4.2 Providing non-audit services or roles, in general, involves full-time or part-time participation in IT initiatives and IT project teams to provide advisory or consultative capabilities. IS audit and assurance professionals may fulfil a non-audit function through activities such as:
- The full-time temporary assignment or loan of IS audit and assurance staff to an IT project team
- The part-time assignment of an IS audit and assurance staff member as a member of the various IT project structures, such as the project steering group, project working group, evaluation team, negotiation and contracting team, implementation team, quality assurance team and trouble shooting team
- Acting as an advisor or reviewer of IT projects or IT controls on an ad hoc basis
2.4.3 Providing non-audit services or roles may create threats to professional independence in attitude or appearance that can be particularly difficult to overcome with safeguards if the area in which the non-audit services or roles were performed currently is, or in the future becomes, the subject matter of an audit or assurance engagement . In this situation, the perception may be that both the independence and the objectivity of professionals have been impaired by performance of the non-audit services or roles.
2.4.4 Professionals providing non-audit services or roles should evaluate, using the conceptual framework, whether the non-audit services or roles generate an impairment of independence either in attitude or in appearance for current or future audit or assurance engagements. This applies to engagements where the area in which the non-audit services or role is performed is significant or materiality to the subject matter or stakeholders of those engagements. Professionals should seek guidance from IS audit and assurance colleagues and management when necessary, and also, if necessary, from those charged with governance, to determine if adequate safeguards can be implemented to adequately mitigate any actual or perceived threats to independence.
2.4.5 Prior to commencing non-audit services or roles, professionals should establish and document their understanding with IS audit management and/or those charged with governance, as appropriate, regarding:
- The objectives of the non-audit services or roles
- The nature of the non-audit services or roles to be performed
- The audited entity’s acceptance of its responsibilities related to the non-audit services or roles
- Professional responsibilities related to the non-audit services or roles
- Any limitations of the non-audit services or roles
- Any limitations to the scope of future audit services professionals can provide
2.4.6 In the case of an IS audit or assurance engagement where there is potential for impaired independence in attitude or appearance due to non-audit services or roles performed, IS audit and assurance management should implement safeguards such as:
- Monitoring the conduct of the audit closely
- Evaluating any significant indications of impairment of independence in attitude or appearance arising out of non-audit services or roles performed and initiating necessary safeguards
- Informing those charged with governance of the potential impairment of independence in attitude or appearance and the safeguards implemented
2.5 Non-audit Services or Roles That Do Not Impair Independence
2.5.1 Activities that are routine and administrative or involve matters that are insignificant generally are deemed not to be a management responsibility and therefore would not impair independence. Further, providing advice and recommendations to assist management in discharging its responsibilities is not regarded as assuming a management responsibility.
2.5.2 Non-audit services or roles that would also not impair independence or objectivity if adequate safeguards are implemented include providing routine advice on IT risk and controls.
2.5.3 To avoid the risk of assuming a management responsibility when providing non-audit services or roles in an area that is or could become the subject of an audit or assurance engagement, professionals should only provide the non-audit services or roles if satisfied that management performs or will perform the following functions in connection with the non-audit services or roles :
Professionals should document consideration of management’s ability to effectively oversee the non-audit services or roles to be performed.
- Assume all management responsibilities
- Oversee the services by designating an individual, preferably within senior management, who possesses suitable skill, knowledge or experience
- Evaluate the adequacy and results of the services performed
- Accept responsibility for the results of the services
2.6 Non-audit Services or Roles That Do Impair Independence
2.6.1 If professionals were to assume management responsibilities or perform management activities, the threats to independence could become so significant that no safeguards could reduce them to an acceptable level. Whether an activity is a management responsibility depends on the circumstances and requires the exercise of professional judgement. Examples of activities that would generally be considered a management responsibility include:
- Setting policies and strategic direction
- Directing and taking responsibility for the actions of the entity’s employees
- Authorising transactions
- Deciding which recommendations of the audit function, internal audit function, organisation, firm or other third parties to implement
- Taking responsibility for designing, implementing or maintaining internal control
- Accepting responsibility for the management of an IT project or initiative
2.6.2 In addition to assuming management responsibilities , the following non-audit services or roles are considered to impair independence and objectivity:
- Material involvement of professionals in the supervision or performance of designing, developing, testing, installing, configuring or operating information systems that are material or significant to the subject matter of the audit or assurance engagement
- Designing controls for information systems that are material or significant to the subject matter of the audit or assurance engagement
- Serving in a governance role where professional s are responsible for either independently or jointly making management decisions or approving policies and standards
- Providing advice that forms the primary basis of management decisions or performing management functions
2.7 Relevance of Independence When Providing Non-audit Services or Roles
2.7.1 Unless prohibited by other external standards or by legislation, there is no requirement for professionals either to be, or to be seen to be, independent when carrying out tasks relating to performing non-audit services or roles; objectivity is still a professional requirement. Accordingly, professionals should carry out tasks relating to non-audit services or roles in an objective and professional manner.
2.7.2 Despite there being no requirement for professionals to be independent while performing non-audit services or roles, professionals should consider whether independence could be impaired if they are assigned to perform an audit or assurance engagement in which the area where non-audit services or roles are or were provided is material to the subject matter of the engagement. Where such a potential impairment is foreseeable (e.g., where an independent audit will be required later and there is only one professional with the requisite skills to perform both the non-audit services or roles and the subsequent audit), the professional should seek guidance from audit management and, if necessary, those charged with governance, prior to accepting or performing the non-audit services or roles.
2.7.3 Determining whether professionals should perform non-audit services or roles, when a current or subsequent audit or assurance engagement of the area where the non-audit services or roles is planned or likely performed by the same professional, should be the decision of IS audit management with the concurrence of those charged with governance. IS audit management should apply the conceptual framework when making a decision, and the following factors may also influence the decision:
- Professionals should not be placed into a situation to audit their own work or provide non-audit services or roles to areas that are known or likely to be significant or material to the subject matter of IS audit or assurance engagements in which they are or will be involved
- Whether there are available resources to perform both the non-audit and independent audit and assurance function separately
- The IS management’s and those charged with governance perception of the value or importance of the non-audit services or roles relative to the audit and assurance engagement
- Level of risk to the audit function associated with the non-audit services or roles
- Effect of the decision on the requirements of external auditors or regulators, if any
- The provisions of the IS audit charter
2.8 Admissibility of Non-audit Services or Roles
2.8.1 The IS audit charter should establish whether professionals are permitted to be involved in performing non-audit services or roles and the broad nature, timing and extent of such services or roles, to ensure that independence is not impaired with respect to the systems they may audit. This could eliminate or minimise the need to obtain specific mandates for each non-audit service or role on a case-by-case basis.
2.8.2 Professionals should provide reasonable assurance that the terms of reference (TOR) of specific non-audit services or roles are in conformity with the audit charter. Where there are any deviations, the same should be expressly spelled out in the TOR and approved by IS audit and assurance management and/or those charged with governance.
2.8.3 Where the audit charter does not specify the non-audit services or roles or where there is no audit charter, professionals should report the nature of their involvement in non-audit services or roles to IS audit and assurance management and those charged with governance. The timing and extent of professionals’ involvement in non-audit services or roles should be subject to individual TOR signed by management of the function where the services or roles will be performed and approved by those charged with governance.
2.9.1 Where the independence of professionals, with reference to an IS audit or assurance engagement, could be, could appear to be, or is impaired, and those charged with governance have made the decision to continue the engagement, the IS audit and assurance engagement report should include sufficient information to allow the users of the report to understand the nature of the potential impairment. Information that professionals should consider disclosing in an IS audit and assurance engagement report includes:
- Names and seniority of professionals involved in the IS audit or assurance engagement that may have, or may appear to have, an impairment to independence
- Analysis and description of the threats to independence
- Safeguards implemented to eliminate or mitigate different threats to independence and objectivity during the course of the engagement work and the reporting process
- The fact that the potential impairment of independence has been disclosed to those charged with governance and their approval to perform or continue the assurance engagement and/or the non-audit services or roles
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
For the standards only the relevant clauses are listed.
3.1 Linkage to Standards
The table provides an overview of:
Note: Only those standard statements relevant to this guideline are listed.
- The most relevant ISACA IS audit and assurance standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Relevant Standard Statements
|1001 Audit Charter
The IS audit and assurance function shall document the audit function appropriately in an audit charter, indicating purpose, responsibility, authority and accountability. The IS audit and assurance function shall have the audit charter agreed upon and approved at an appropriate level within the enterprise .
|1002 Organisational Independence
||The IS audit and assurance function shall be independent of the area or activity being reviewed to permit objective completion of the audit and assurance engagement.|
|1003 Professional Independence
||IS audit and assurance professionals shall be independent and objective in both attitude and appearance in all matters related to audit and assurance engagements.|
|1005 Due Professional Care
||IS audit and assurance professionals shall exercise due care, including observance of applicable professional audit standards, in planning, performing and reporting on the results of engagements.|
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
- COBIT 5 processes
- COBIT 5 process purpose
COBIT 5 Process
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk. |
|MEA03 Monitor, evaluate and assess compliance with external requirements.
||Ensure that the enterprise is compliant with all applicable external requirements. |
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance when considered necessary. This could be from IS audit and assurance:
- Colleagues within and/or outside the enterprise, e.g., through professional associations or professional social media groups
- Governance bodies within the enterprise, e.g., audit committee
||A condition that causes a weakness or diminished ability to execute audit objectives. Impairment to organisational independence and individual objectivity may include personal conflict of interest; scope limitations; restrictions on access to records, personnel, equipment or facilities, and resource limitations (such as funding or staffing).|
||The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional and organisational levels. Independence includes independence of mind and independence in appearance.|
|Independence in appearance
||The avoidance of facts and circumstances that are so significant that a reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances, that an IS audit team’s, or a member of the IS audit team’s, integrity, objectivity or professional scepticism has been compromised.|
|Independence of mind
||The state of mind that permits the expression of a conclusion without being affected by influences that compromise professional judgement, thereby allowing an individual to act with integrity and exercise objectivity and professional scepticism.|
||The guarding against improper information modification or destruction, which includes ensuring information non-repudiation and authenticity|
||An audit concept regarding the importance of an item of information with regard to its impact or effect on the subject matter being audited. An expression of the relative significance or importance of a particular matter in the context of the engagement or the enterprise as a whole.|
||The ability to exercise judgement, express opinions and present recommendations with impartiality|
||The application of relevant knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the IS audit and assurance engagement|
||An attitude that includes a questioning mind and a critical assessment of audit evidence. Source: American Institute of Certified Public Accountants (AICPA) AU 230.07|
5. Effective Date
5.1 Effective Date
This guideline is effective for all IS audit and assurance engagements beginning on or after 1 September 2014.