The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 The purpose of this guideline is to detail the different assertions, guide IS audit and assurance professionals in assuring that the criteria, against which the subject matter is to be assessed, supports the assertions, and provide guidance on formulating a conclusion and drafting a report on the assertions.
1.1.2 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1007 Assertions
1.2.2 Standard 1008 Criteria
1.2.3 Standard 1204 Materiality
1.2.4 Standard 1206 Using the Work of Other Experts
1.2.5 Standard 1401 Reporting
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.2 Subject matter and criteria
2.3 Assertions developed by third parties
2.4 Conclusion and report
2.1.1 Assertions are any declaration or set of declarations about whether the subject matter is based on or in conformity with the criteria selected. Professionals should consider these assertions throughout the execution of an audit engagement, obtain assurance on their achievement and express this in the audit report.
2.1.2 Common assertions that may be considered include:
2.1.3 Management is responsible for defining and approving subject matter and related assertions. Professionals should ensure that any assertions developed by management are what a knowledgeable reader or user would expect compared to other standards of authoritative pronouncements.
- Confidentiality—Preserving authorised restrictions on access and disclosure, including means for protecting privacy and proprietary information
- Completeness—All activities, information and other data that should have been recorded are recorded, e.g., all IT system changes promoted to production are recorded in the change management tracking application
- Accuracy—Amounts, dates and other data related to recorded activities have been recorded appropriately, e.g., data related to the promotion of IT system changes into production are accurately displayed in the change records of the change management tracking application
- Integrity—Information, evidence and other data received come from trustworthy and reliable sources, e.g., the change records requested by professionals are received from the compliance manager, a trustworthy and reliable source within the enterprise
- Availability—Information, evidence and other data required for the audit engagement exist and are accessible, e.g., the requested change records exist and are readily accessible in the change management tracking application
- Compliance—Information, evidence and other data has been recorded according to the enterprise, regulatory or other applicable stipulations, e.g., required fields, according to the applicable stipulations, are present on the change records of the change management tracking application
2.1.4 A precondition for professionals to accept the audit engagement should be the confirmation from management that it fully understands its responsibility to provide all required information regarding the subject matter and the assertions to professionals. If professionals believe that management will not be able to fulfil this responsibility, they should:
2.1.5 Professionals should review the selected assertions for the audit engagement and ensure that they are:
- Inform IS audit and assurance management and those charged with governance of the identified issue
- Not accept the proposed audit engagement
- Sufficient—Enough to meet the purpose of the audit engagement, which is expressing an opinion or conclusion on the subject matter in scope
- Valid—Able to be tested, given the subject matter in scope
- Relevant—Have a direct connection to the subject matter in scope and contribute to meeting the purpose of the audit engagement
2.2 Subject Matter and Criteria
2.2.1 The subject matter of an audit engagement is determined by management and those charged with governance. Usually, the IS audit engagement subject matter will not be as accurately defined as it is with financial audit engagements. For example, the subject matter of IS audit and assurance engagements can vary from one system and its interfaces, to a process (covering multiple systems and interfaces), or even all IS-related operations of a certain department.
2.2.2 Professionals should assess the subject matter of the audit engagement against predetermined criteria to express an opinion or conclusion on the subject matter. Professionals should evaluate these criteria to ensure that they support the relevant assertions.
2.2.3 One criterion can link to multiple assertions. On the other hand, one assertion can also be supported by multiple criteria that all provide a part of the assurance in attaining the assertion.
2.2.4 Should professionals conclude that the criteria do not fully support all of the relevant assertions, they should make suggestions for modification of the existing criteria or for adding additional criteria. IS audit and assurance management review and approve or reject the new or modified criteria.
2.2.5 Next to assessing that the criteria fully support the relevant assertions, professionals should also assess that the criteria can be subject to objective and measurable analysis, as detailed in Standard 1008 Criteria.
2.3 Assertions Developed by Third Parties
2.3.1 Enterprises outsourcing operations to third parties will receive reports about the control environment of the outsourced operations. Management reviews each report to determine whether:
- The report is issued by a relevant independent professional body
- The audit opinion is qualified or unqualified
- The scope of the control objectives adequately covers the controls required by the enterprise
- The period being audited is in line with the enterprise expectation
- Specific control deficiencies (that did not lead to an overall qualification of the report) are relevant to the enterprise
- The assertions being used are in line with the required assertions
IS audit and assurance management should document the analysis made and conclusions reached. Professionals should ensure that the assertions are verified and formally approved by management, as part of an audit engagement that has the outsourced operations in scope. Standard 1206 Using the Work of Other Experts provides further guidance on this topic.
2.4 Conclusion and Report
2.4.1 After assessing the subject matter of the audit engagement against the criteria, professionals should form a conclusion on each assertion, based on the aggregate of the findings against related criteria, along with professional judgement.
2.4.2 After forming a conclusion, professionals should issue an indirect or direct report on the subject matter:
- Indirect report—On the assertions about the subject matter. For example, on the assertion ‘completeness,’ for a component of the subject matter: ‘Based on our operating effectiveness testing, in our opinion the IT system changes promoted to production, in all material respects according to the selected criteria, have been completely recorded in the change management tracking application.’
- Direct report—On the subject matter itself. For example, on the entire subject matter: ‘Based on our testing, in our opinion the IT system changes are following, in all material respect according to the selected criteria, the required change management procedure.’
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
3.1 Linkage to Standards
The table provides an overview of:
- The most relevant ISACA Standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Note: Only those standard statements relevant to this guideline are listed.
Relevant Standard Statements
||IS audit and assurance professionals shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.|
||IS audit and assurance professionals shall select criteria, against which the subject matter will be assessed, that are objective, complete, relevant, measureable, understandable, widely recognised, authoritative and understood by, or available to, all readers and users of the report.|
||IS audit and assurance professionals shall disclose the following in the audit report:
- Absence of controls or ineffective controls
- Significance of the control deficiency
- Likelihood of these weaknesses resulting in a significant deficiency or material weakness
|1206 Using the Work of Other Experts
||IS audit and assurance professionals shall assess, review and evaluate the work of other experts as part of the engagement, and document the conclusion on the extent of use and reliance on their work.|
||IS audit and assurance professionals shall provide a report to communicate the results upon completion of the engagement, including:
- Identification of the enterprise, the intended recipients and any restrictions on content and circulation
- The scope, engagement objectives, period of coverage and the nature, timing and extent of the work performed
- The findings, conclusions and recommendations
- Any qualifications or limitations in scope that the IS audit and assurance professional has with respect to the engagement
- Signature, date and distribution according to the terms of the audit charter or engagement letter
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
- COBIT 5 processes
- COBIT 5 process purpose
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
COBIT 5 Process
|EDM01 Ensure governance framework setting and maintenance.
||Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise’s strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for the board members are met.|
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.|
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance when considered necessary. This could be from IS audit and assurance:
- Colleagues from within the organisation and/or outside the enterprise, e.g., through professional associations or professional social media groups
- Governance bodies within the organisation, e.g., audit committee
- Other guidance (e.g., books, papers, other guidelines)
||Any formal declaration or set of declarations about the subject matter made by management |
Assertions should usually be in writing and commonly contain a list of specific attributes about the specific subject matter or about a process involving the subject matter.
||The standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter|
Criteria should be:
In an attestation engagement, benchmarks against which management's written assertion on the subject matter can be evaluated. The practitioner forms a conclusion concerning subject matter by referring to suitable criteria.
- Objective—Free from bias
- Complete—Include all relevant factors to reach a conclusion
- Relevant—Relate to the subject matter
- Measurable—Provide for consistent measurement
||The application of relevant knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the IS audit and assurance engagement|
||The specific information subject to an IS auditor’s report and related procedures, which can include things such as the design or operation of internal controls and compliance with privacy practices or standards or specified laws and regulations (area of activity)|
5. Effective Date
5.1 Effective Date
This revised guideline is effective for all IS audit and assurance engagements beginning on or after 1 September 2014.