The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 The purpose of this guideline is to clarify the term ‘due professional care’ as it applies to performing an audit engagement with integrity and care in compliance with the ISACA Code of Professional Ethics.
1.1.2 This guideline explains how IS audit and assurance professionals should apply due professional care in planning, performing and reporting on an audit engagement.
1.1.3 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1002 Organisational Independence
1.2.2 Standard 1003 Professional Independence
1.2.3 Standard 1005 Due Professional Care
1.2.4 Standard 1006 Proficiency
1.2.5 Standard 1205 Evidence
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 Professional scepticism and competency
2.3 Life cycle of the engagement
2.5 Managing information
2.1 Professional Scepticism and Competency
2.1.1 Due professional care applies to the exercise of professional judgement in the conduct of work performed. Due professional care implies that professionals should approach matters requiring professional judgement with professional scepticism, diligence, integrity and care. They should maintain this attitude throughout the whole engagement.
2.1.2 Professionals should maintain competence, independence and an objective state of mind in all matters related to the conduct of the audit engagement. They should be honest, impartial and unbiased in addressing issues and reaching conclusions.
2.1.3 Exercising due professional care should make professionals consider the possible existence of inefficiencies, misuses, errors and exclusions, incompetence, conflicts of interest, or fraud. It should also make professionals attentive for specific conditions or activities where these issues can occur.
2.1.4 By keeping informed of and complying with developments in professional standards, professionals demonstrate sufficient understanding and professional competence to achieve the IS audit and assurance objectives. Detailed guidance can be found in Standard 1006 Proficiency.
2.1.5 Professionals should conduct the audit engagement with diligence while adhering to professional standards and statutory and regulatory requirements.
2.2.1 Due professional care should extend to every aspect of the audit, including, but not restricted to, evaluating audit risk, accepting audit assignments, establishing audit scope, formulating audit objectives, planning the audit, conducting the audit, allocating resources to the audit, selecting audit tests, evaluating test results, documenting the audit, arriving at audit conclusions, reporting and delivering audit results. In doing this, professionals should determine or evaluate the:
2.2.2 Due professional care also requires professionals to conduct all engagements with the concept of reasonable assurance in mind.
- Type, level, skill and competence of resources required to meet the IS audit and assurance objectives
- Significance of identified risk and the potential effect of such risk on the subject of the audit
- Sufficiency, validity and relevance of audit evidence gathered
- Competence, integrity and conclusions of others upon whose work professionals place reliance
2.2.3 Professionals should serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and should not engage in acts discreditable to the profession.
2.3 Life Cycle of the Engagement
2.3.1 Professionals should plan the audit engagement completely and in a timely manner by exercising due professional care to ensure the availability of the appropriate resources and a timely completion of the audit engagement. Professionals assigned to the project should collectively possess the needed skills, knowledge and relevant competencies to perform the audit engagement.
2.3.2 Professionals should conduct the audit engagement by applying due professional care, i.e., by following the appropriate professional standards to ensure a quality and complete audit conclusion or opinion.
2.4.1 The defined roles and responsibilities should be communicated to the team members before the start of the project to ensure the team’s adherence to the appropriate professional standards during the audit engagement.
2.4.2 During the audit engagement professionals should appropriately communicate with auditees and relevant stakeholders to ensure their cooperation.
2.4.3 Professionals should address their findings to auditees of the audit engagement.
2.4.4 Professionals should document and communicate concerns regarding the application of professional standards to appropriate parties to resolve concerns.
2.4.5 Professionals should exercise due professional care while informing appropriate parties of the results of work performed.
2.5 Obtaining and Managing Information
2.5.1 The professionals should have reasonable expectation that management understands its obligations and responsibilities in providing appropriate, relevant and timely information required for the performance of the audit engagement.
2.5.2 Professionals should take reasonable measures to maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information must not be used for personal benefit or released to inappropriate parties.
2.5.3 Information should be retained and properly disposed of in accordance with organisational policies and relevant laws, rules and regulations.
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
3.1 Linkage to Standards
The table provides an overview of:
- The most relevant ISACA Standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Note: Only those standard statements relevant to this guideline are listed.
Relevant Standard Statements
|1002 Organisational Independence
||The IS audit and assurance function shall be independent of the area or activity being reviewed to permit objective completion of the audit and assurance engagement.|
|1003 Professional Independence
||IS audit and assurance professionals shall be independent and objective in both attitude and appearance in all matters related to audit and assurance engagements.|
|1005 Due Professional Care
||IS audit and assurance professionals shall exercise due professional care, including observance of applicable professional audit standards, in planning, performing and reporting on the results of engagements.|
||IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate skills and proficiency in conducting IS audit and assurance engagements and be professionally competent to perform the work required.|
IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate knowledge of the subject matter.
IS audit and assurance professionals shall maintain professional competence through appropriate continuing professional education and training.
|1205 Audit Evidence
||IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the engagement results.|
IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objectives.
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
- COBIT 5 processes
- COBIT 5 process purpose
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
COBIT 5 Process
|EDM01 Ensure governance framework setting and maintenance.
||Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise's strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for board members are met.|
|APO07 Manage human resources.
||Optimise human resources capabilities to meet enterprise objectives.|
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.|
|MEA03 Monitor, evaluate and assess compliance with external requirements.
||Ensure that the enterprise is compliant with all applicable external requirements.|
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance, when considered necessary. This could be from IS audit and assurance:
- Colleagues from within the organisation and/or outside the enterprise, e.g., through professional associations or professional social media groups
- Governance bodies within the organisation, e.g., audit committee
- Other guidance (e.g., books, papers, other guidelines)
||Proven level of ability, together with professional experience, often linked to qualifications issued by relevant professional bodies and compliance with their codes of practice and standards|
||The application of relevant knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the IS audit and assurance engagement|
||An attitude that includes a questioning mind and a critical assessment of audit evidence. Source: American Institute of Certified Public Accountants (AICPA) AU 230.07|
5. Effective Date
5.1 Effective Date
This revised guideline is effective for all IS audit and assurance engagements beginning on or after 1 September 2014.