The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 This guideline provides guidance to assist the IS audit and assurance professionals to acquire the necessary skills and knowledge and maintain the professional competences while carrying out audit engagements.
1.1.2 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1005 Due Professional Care
1.2.2 Standard 1006 Proficiency
1.2.3 Standard 1201 Engagement Planning
1.2.4 Standard 1203 Performance and Supervision
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 Professional competence
2.3 Reaching the desired level of competence
2.1 Professional Competence
2.1.1 Professional competence implies possessing skills, knowledge and expertise, through an adequate level of education and experience, to have the ability to appropriately perform an audit engagement.
2.1.2 IS audit and assurance management should communicate the desired and/or expected level of professional competence, based on appropriate benchmarks, for the different roles in audit engagements and ensure such benchmarks are periodically reviewed and updated. IS audit and assurance management should document the professional competence required for various job levels, for example by formulating a skills matrix that indicates the professional competence required for the various job levels.
2.1.3 IS audit and assurance management should provide reasonable assurance of the availability of competent resources required to carry out the audit engagements defined in the IS audit plan, and the availability of such competent resources should be confirmed and ensured prior to commencement of the audit engagement.
2.1.4 IS audit and assurance management is responsible for ensuring the team members are competent to perform the audit engagement. Identification of core professional competencies of team members will assist in efficient utilisation of available resources.
2.1.5 Professionals should provide reasonable assurance that they possess the required level of professional competence. They should be responsible for acquiring the required professional and technical skills and knowledge to carry out any assignment they agree to perform.
2.1.6 The required skills and knowledge vary with the professionals’ position and the role with respect to the audit engagement. Requirement for management skills and knowledge should be commensurate with the level of responsibility.
2.1.7 Skills and knowledge include proficiency in the identification and management of risk and controls, as well as audit tools and techniques. Professionals should possess analytical and technical knowledge together with interviewing, interpersonal and presentation skills.
2.1.8 Professionals should possess the knowledge to identify, determine the impact of, and communicate possible conditions or deviations that are material to the audit engagement.
2.1.9 Professionals should possess the ability to recognise possible fraud indicators.
2.1.10 Professionals should have a general knowledge of business fundamentals, e.g., economics, finance, accounting, information technology, risk, tax and law to prevent them from overlooking potential issues or shortcomings.
2.1.11 It is appropriate for professionals to share their experiences, adopted good practices, lessons learned and knowledge gained amongst team members to improve the professional competencies of the resources. The professional competencies of team members are also improved through team building sessions, workshops, conferences, seminars, lectures and other modes of interaction.
2.1.12 To ensure the availability of the appropriate skills, alternative means of acquiring these skills should be assessed. This includes subcontracting specific resources, outsourcing a portion of the IS audit and assurance tasks and/or delaying the audit engagement until the needed skills are available.
2.1.13 External knowledge can be obtained by outsourcing part of the engagement. Collaboration between outsourced resources and internal professionals ensures that knowledge and skills also are developed and maintained internally.
2.1.14 Where any part of the audit engagement is outsourced or expert assistance is obtained, reasonable assurance must be provided that the outsourced agency or the external expert possesses the requisite professional competence.
2.1.15 Where expert assistance is obtained on a continual basis, professional competence of such external experts should be periodically measured, monitored and reviewed against professional standards or benchmarks.
2.2.1 Professionals should monitor their skills and knowledge continually to maintain the appropriate level of professional competence. IS audit and assurance management should periodically evaluate professional competence.
2.2.2 Evaluation of the performance of professionals should be carried out in a manner that is fair, transparent, easily understood, unambiguous, without bias and considered a generally acceptable practice given the employment environment.
2.2.3 Evaluation criteria and procedures should be clearly defined, but may vary depending upon circumstances such as geographic location, political climate, nature of assignment, culture and other similar circumstances.
2.2.4 In the case of a team of professionals, evaluation should be carried out internally amongst teams or individuals on a cross-functional basis.
2.2.5 In the case of single (sole) independent professionals, evaluation should be carried out by a peer relationship to the extent possible. If a peer review is not possible, self-evaluation should be conducted and documented.
2.2.6 Evaluation of the performance of professionals should be performed by an appropriate level of management.
2.2.7 Gaps noted during evaluation should be addressed appropriately.
2.3 Reaching the Desired Level of Competence
2.3.1 Gaps noted based upon variance in the actual level of professional competence to the expected level of professional competence should be recorded and analysed. Where a significant deficiency exists in any resource, such resource should not be used in conducting an audit engagement.
2.3.2 It is important to ascertain the cause for the gap and to take appropriate corrective action measures, such as training and continuing professional education (CPE), as soon as possible.
2.3.3 Training activities required for an audit engagement should be completed within a reasonable time and before commencement of the audit activity.
2.3.4 Effectiveness of training should be measured on completion of training after a reasonable time period.
2.3.5 Documentation of the required skills, such as a skills matrix, as formulated by IS audit and assurance management (2.1.2), will aid in identifying gaps and training needs. The matrix can be cross-referenced to the available resources and their skills and knowledge.
2.3.6 Records of training provided, together with feedback on training and effectiveness of training, should be maintained, analysed and referenced for future use.
2.3.7 CPE is the methodology adopted to maintain professional competence and update skills and knowledge. Professionals should adhere to the requirements of the CPE policies established by the respective professional bodies with which they are associated.
2.3.8 CPE programmes should aid in the enhancement of skills and knowledge and relate to professional and technical requirements of IS assurance, security and governance. Professional bodies ordinarily prescribe programmes eligible for CPE recognition. Professionals should adhere to such norms prescribed by their respective professional bodies.
2.3.9 Professional bodies ordinarily prescribe the methodology of attainment of CPE credits and the minimum credits that should be obtained periodically by their constituents. Professionals must adhere to such norms prescribed by their respective professional bodies. Where professionals are associated with more than one professional body for the purpose of attainment of minimum credits, they may use their professional judgement to avail CPE credits in a common manner from the eligible programmes, provided the same is consistent with the rules/guidelines framed by the respective professional bodies.
2.3.10 ISACA has a comprehensive policy on CPE, applicable to its members and holders of the CISA designation. Professionals with the CISA designation must comply with ISACA’s CPE policy. Details of the policy are available at www.isaca.org/CISAcpepolicy.
2.3.11 As prescribed by respective professional bodies, including ISACA, professionals are required to maintain appropriate records of CPE programmes, retain them for specific periods and, if required, make them available for audit.
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
3.1 Linkage to Standards
The table provides an overview of:
- The most relevant ISACA Standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Note: Only those standard statements relevant to this guideline are listed.
Relevant Standard Statements
|1005 Due Professional Care
||IS audit and assurance professionals shall exercise due professional care, including observance of applicable professional audit standards, in planning, performing and reporting on the results of engagements.|
||IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate skills and proficiency in conducting IS audit and assurance engagements and be professionally competent to perform the work required.
IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate knowledge of the subject matter.
IS audit and assurance professionals shall maintain professional competence through appropriate continuing professional education and training.
|1201 Engagement Planning
||IS audit and assurance professionals shall plan each IS audit and assurance engagement to address:
IS audit and assurance professionals shall develop and document an IS audit or assurance engagement project plan, describing the:
- Objective(s), scope, timeline and deliverables
- Compliance with applicable laws and professional auditing standards
- Use of a risk-based approach, where appropriate
- Engagement-specific issues
- Documentation and reporting requirements
- Engagement nature, objectives, timeline and resource requirements
- Timing and extent of audit procedures to complete the engagement
|1203 Performance and Supervision
||IS audit and assurance professionals shall provide supervision to IS audit staff for whom they have supervisory responsibility, to accomplish audit objectives and meet applicable professional audit standards.
IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision.
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
- COBIT 5 processes
- COBIT 5 process purpose
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
COBIT 5 Process
|EDM04 Ensure resource optimisation.
||Ensure that the resource needs of the enterprise are met in the optimal manner, IT costs are optimised, and there is an increased likelihood of benefit realisation and readiness for future change.|
|APO07 Manage human resources.
||Optimise human resources capabilities to meet enterprise objectives.|
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.|
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance when considered necessary. This could be from IS audit and assurance:
- Colleagues from within the organisation and/or outside the enterprise, e.g., through professional associations or professional social media groups
- Governance bodies within the organisation, e.g., audit committee
- Other guidance (e.g., books, papers, other guidelines)
||An audit concept regarding the importance of an item of information with regard to its impact or effect on subject matter being audited. An expression of the relative significance or importance of a particular matter in the context of the engagement or the enterprise as a whole.|
||A proven level of ability, often linked to qualifications issued by relevant professional bodies and compliance with their codes of practice and standards|
||The application of relevant knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the IS audit and assurance engagement|
||Possessing skill and experience|
5. Effective Date
5.1 Effective Date
This revised guideline is effective for all IS audit and assurance engagements beginning on or after 1 September 2014.