IS Audit and Assurance Guideline 2004 Reasonable Expectation 

 

  Download

The guideline is presented in the following sections:

  1. Guideline purpose and linkage to standards
  2. Guideline content
  3. Linkage to standards and COBIT 5 processes
  4. Terminology
  5. Effective date

1. Guideline Purpose and Linkage to Standards


1.0 Introduction

This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’

1.1 Purpose

1.1.1 The purpose of this guideline is to assist the IS audit and assurance professionals in implementing the principle of reasonable expectation in the execution of audit engagements. The main features over which the professionals should have reasonable expectation are that:
  • The audit engagement can be completed in accordance with these standards, other applicable standards or regulations, and result in a professional opinion or conclusion.
  • The scope of the audit engagement permits an opinion or conclusion to be expressed on the subject matter.
  • Management will provide them with appropriate, relevant and timely information required to perform the audit engagement.
1.1.2 This guideline further assists the IS audit and assurance professionals in addressing scope limitations and provides guidance on accepting a change in terms.
1.1.3 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.

1.2 Linkage to Standards

1.2.1 Standard 1001 Audit Charter
1.2.2 Standard 1004 Reasonable Expectation

1.3 Term Usage

1.3.1 Hereafter:
  • ‘IS audit and assurance function’ is referred to as ‘audit function’
  • ‘IS audit and assurance professionals’ are referred to as ‘professionals’

2. Guideline Content


2.0 Introduction

The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 Standards and regulations
2.2 Scope
2.3 Scope limitations
2.4 Information
2.5 Acceptance of a change in engagement terms

2.1 Standards and Regulations

2.1.1 The audit charter will determine the standards the audit function and professionals will adhere to, as described in Standard 1001 Audit Charter.
2.1.2 Professionals should gather and assess all applicable standards listed in the audit charter and regulations before the audit engagement and revisit them throughout the engagement to determine if they have reasonable expectation that they can complete the audit engagement in accordance with these standards and regulations, and that the audit engagement will result in a professional opinion or conclusion.
2.1.3 Should professionals determine that the audit engagement cannot be completed in accordance with one or more of the applicable standards and regulations, and thus expressing a professional opinion or conclusion will not be possible, they should:
  • Inform IS audit and assurance management and those charged with governance of the identified compliance issues with the standards and regulations
  • Propose either a change in engagement terms or that the proposed engagement not be accepted

2.2 Scope

2.2.1 Before undertaking the audit engagement, the professionals should review the scope of the audit engagement. They should determine that the scope of the audit is clearly documented and permits a professional opinion or conclusion to be drawn on the subject matter.
2.2.2 The scope of the audit engagement should be clearly documented, with no room for interpretation as to which areas (e.g., processes, activities, systems) are in scope of the engagement. A scope that is described too vaguely will not allow professionals to form a professional opinion or conclusion, because there is no certainty that all areas in scope are assessed.
2.2.3 Should professionals determine that the scope of the audit engagement does not enable them to express a professional opinion or conclusion, they should:
  • Inform IS audit and assurance management and those charged with governance of the identified issues with the scope.
  • Propose a change in engagement terms or not accept the proposed audit engagement.

2.3 Scope Limitations

2.3.1 Specific scope limitations may occur before or during the audit engagement. These scope limitations can be influenced by different factors, such as:
  • Appropriate, relevant and timely information required to complete the audit engagement is unavailable.
  • (Key) auditees are unavailable.
  • The time frame included is insufficient to complete the entire scope of the audit engagement.
  • Management tries to limit the scope of the audit engagement to selected areas.
  • The scope of the audit engagement is either too small or too large to come to a conclusion on the subject matter.
  • The level of decentralisation makes it difficult to come to a conclusion on the totality of the subject matter.
  • Availability of sufficient number of appropriately skilled professionals to perform the audit engagement with its current scope.
  • The reporting structure of the audit function, e.g., if the audit function does not report to the appropriate level within the enterprise, it may be directed not to assess certain elements in scope
2.3.2 The professionals should consider whether these scope limitations still allow for reasonable expectation that the audit engagement will result in a professional opinion or conclusion. Should they determine that this condition will not be fulfilled, they should not accept the engagement.
2.3.3 Should professionals conclude that they still have reasonable expectation that, despite the scope limitations, the engagement will result in a professional opinion or conclusion, professionals should accept or continue the audit engagement. The scope limitations should be explicitly described in the IS audit and assurance engagement report.

2.4 Information

2.4.1 The audit charter will determine the right of access to information, systems, personnel and locations relevant to the performance of the audit engagement, as described in Standard 1001 Audit Charter.
2.4.2 Before undertaking the audit engagement, professionals need to identify and address any restrictions being placed upon their right to access appropriate, relevant and timely information for the audit engagement. They should have a reasonable expectation that their right to access for this audit engagement is in accordance with the stipulations in the audit charter, or that potential deviations from these stipulations do not preclude the professionals from reaching a professional opinion or conclusion on the subject matter.
2.4.3 Performing an audit or assurance engagement could involve assessing activities performed by senior and executive management. The possibility of such an event occurring should be assessed before the execution of the audit engagement as well as whether professionals will be challenged in their need to access these individuals or related information. Mitigating actions might be needed before the execution of the audit engagement such as, but not limited to:
  • Ensuring the audit charter provides appropriate authority to the audit function and professionals
  • Obtaining the explicit, written support from those charged with governance, e.g., board of directors and audit committee
  • Attendance by a member of the board or executive management when requiring access to executive or senior management
2.4.4 Should professionals conclude that their right of access to information does not enable them to express a professional opinion or conclusion, they should:
  • Inform IS audit and assurance management and those charged with governance of the identified issues with their right to access appropriate, relevant and timely information.
  • Propose a change in engagement terms or not accept the proposed audit engagement.

2.5 Acceptance of a Change in Engagement Terms

2.5.1 Professionals should not accept a change in terms of the audit engagement when there is no justification for doing so, based on their professional judgement.
2.5.2 If professionals, prior to the end of the audit engagement, are requested to accept a change in terms that lowers the level of assurance, they should determine whether there is justification for doing so, based on their professional judgement.
2.5.3 If the terms of an audit engagement are changed, they should be recorded and formally approved by both professionals and IS audit and assurance management. After completion of the audit engagement, the IS audit and assurance engagement report should mention this change in terms explicitly.
2.5.4 If professionals do not accept a change in terms of the audit engagement and management does not permit them to continue the original audit engagement, in consultation with audit and assurance management they should:
  • Withdraw from the audit engagement.
  • Determine, according to their professional judgement, the need to report the circumstances to those charged with governance, the board of directors or even regulators.

3. Linkage to Standards and COBIT 5 Processes


3.0 Introduction

This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance

3.1 Linkage to Standards

The table provides an overview of:
  • The most relevant ISACA Standards that are directly supported by this guideline
  • Those standard statements that are most relevant to this guideline

Note: Only those standard statements relevant to this guideline are listed.

Standard Title
Relevant Standard Statements
1001 Audit Charter The IS audit and assurance function shall document the audit function appropriately in an audit charter, indicating purpose, responsibility, authority and accountability.

The IS audit and assurance function shall have the audit charter agreed upon and approved at an appropriate level within the enterprise.
1004 Reasonable Expectation IS audit and assurance professionals shall have reasonable expectation that the engagement can be completed in accordance with IS audit and assurance standards and, where required, other appropriate professional or industry standards or applicable regulations and result in a professional opinion or conclusion.

IS audit and assurance professionals shall have reasonable expectation that the scope of the engagement enables conclusion on the subject matter and addresses any restrictions.

IS audit and assurance professionals shall have reasonable expectation that management understands its obligations and responsibilities with respect to the provision of appropriate, relevant and timely information required to perform the engagement.


3.2 Linkage to COBIT 5 Processes

The table provides an overview of the most relevant:
  • COBIT 5 processes
  • COBIT 5 process purpose

Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.

COBIT 5 Process ID and Title
Process Purpose
MEA02 Monitor, evaluate and assess the system of internal control. Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.
MEA03 Monitor, evaluate and assess compliance with external requirements. Ensure that the enterprise is compliant with all applicable external requirements.


3.3 Other Guidance

When implementing standards and guidelines, professionals are encouraged to seek other guidance when considered necessary. This could be from IS audit and assurance:
  • Colleagues from within and/or outside the enterprise, e.g., through professional associations or professional social media groups
  • Management
  • Governance bodies within the organisation, e.g., audit committee
  • Other guidance (e.g., books, papers, other guidelines)

4. Terminology


 
Term
Definition
(None)  


5. Effective Date


4.1 Effective Date

This guideline is effective for all IS audit and assurance engagements beginning on or after 1 September 2014.