The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 The purpose of this guideline is to assist IS audit and assurance professionals in selecting criteria, against which the subject matter will be assessed, that are suitable, acceptable and come from a relevant source.
1.1.2 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1007 Assertions
1.2.2 Standard 1008 Criteria
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 Selection and use of criteria
2.5 Change in criteria during the audit engagement
2.1 Selection and Use of Criteria
2.1.1 Professionals shall select criteria, against which the subject matter will be assessed. When selecting the criteria, professionals shall carefully consider the suitability, acceptability and source of the criteria, as described in sections 2.2, 2.3 and 2.4, respectively.
2.1.2 Professionals should consider the selection of criteria carefully. Adhering to local laws and regulations is important and should be considered a mandatory requirement. However it is recognised that many audit engagements include areas, such as change management, IT general controls and access controls, not covered by law or regulations. In addition, some industries, such as the payment card industry, have established mandatory requirements. The relevance of local and international data protection rules and privacy regulations should be considered. Where legislative requirements are principle-based, professionals should ensure that criteria selected meet the audit objective.
2.1.3 The use of suitable and acceptable criteria is required to ensure a consistent evaluation of the subject matter. Without the right criteria, any conclusion or opinion formed will be open for misunderstanding and interpretability from a personal point of view by the reader.
2.1.4 Professionals should refrain from evaluating the subject matter on the basis of their own expectations, experiences or judgements, because this would not be considered as suitable and acceptable criteria.
2.1.5 Where criteria are not readily available, incomplete or subject to interpretation, professionals should include a description and any other information necessary to ensure that the report is fair, objective and understandable, and the context in which the criteria are used is clear.
2.1.6 Professional judgement should be used in ensuring that the use of the criteria will enable the development of a fair and objective opinion or conclusion that will not mislead the reader or user. It is recognised that management might put forth criteria that do not meet all of the requirements.
2.2.1 Professionals should assess the suitability and appropriateness of the criteria used for assessing subject matter. The example criterion ‘Local law stipulates that all personal information of clients should always remain private when conducting data transactions’ is used to clarify the following criteria attributes:
- Objectivity—Free from bias that may adversely impact professionals’ findings and conclusions and, accordingly, may mislead the user of the audit report, e.g., the criterion is objective because it is ratified by local law
- Completeness–Sufficiently complete so that all criteria that could affect professionals’ conclusions about the subject matter are identified and used in the conduct of the audit engagement. Thus, completeness of all criteria used should be achieved, given the objectives of the audit engagement.
- Relevance—Relevant to the subject matter and contribute to findings and conclusions that meet the objectives of the audit engagement. Criteria can be context-sensitive; even for the same subject matter there can be different criteria depending on the objectives and circumstances of the audit engagement, e.g., the criterion is considered relevant because data transactions are in scope of this audit engagement.
- Measurability—Permit consistent measurement of the subject matter and the development of consistent conclusions when applied by different professionals in similar circumstances, e.g., the criterion is measurable because every data transaction with unprotected personal information can be uniquely identified and thus consistently measured
- Understandability—Communicated clearly and not subject to significantly different interpretations by intended users, e.g., the criterion is understandable because this section of the law has already been the subject of multiple court rulings, helping to establish a clear understanding about the practical execution and interpretation of the law
2.3.1 The acceptability of criteria is affected by the availability of the criteria to the users of the audit report, so that users understand the basis of the assurance activity and the relevance of the findings and conclusions. Sources may include those criteria that are:
2.3.2 Professionals should ensure that the criteria used in an audit engagement are either:
- Recognised—Sufficiently well recognised so that their use is not questioned by intended users
- Authoritative—Reflect authoritative pronouncements within the area and are appropriate for the subject matter, e.g., authoritative pronouncements may come from professional bodies, industry groups, government and regulators
- Publicly available—Includes standards developed by professional accounting and audit bodies such as ISACA, International Federation of Accountants (IFAC), and other recognised government, legal or professional bodies
- Available to all users—Where not publicly available, criteria should be communicated to all users through assertions that form part of the audit report. Assertions consist of statements about the subject matter that meet the requirements of ‘suitable criteria’ so that they can be audited, as described in Standard 1007 Assertions.
- Externally accepted—Recognised, authoritative and publicly available
- Externally confirmed—Criteria developed by management (for a specific audit engagement) are not considered recognised, authoritative and publicly available. Before use, these criteria require external validation by a recognised independent third party to ensure that management does not implicitly enforce a wanted outcome of the audit engagement.
2.4.1 In addition to suitability and availability, the selection of IS assurance criteria should also consider their source, in terms of their use and the potential audience. For example, when dealing with government regulations, criteria based on assertions developed from the legislation and regulations that apply to the subject matter may be most appropriate. In other cases, industry or trade association criteria may be relevant. Possible criteria sources, listed in order of consideration, are:
- Criteria established by ISACA—Publicly available criteria and standards that have been exposed to peer review and a thorough due-diligence process by recognised international experts in IT governance, control, security and assurance.
- Criteria established by other bodies of experts—Similar to ISACA standards and criteria, these are relevant to the subject matter and have been developed and exposed to peer review and a thorough due-diligence process by experts in various fields.
- Criteria established by laws and regulations—While laws and regulations can provide the basis of criteria, care must be taken in their use. Frequently, wording is complex and carries a specific legal meaning. In many cases, it may be necessary to restate the requirements as assertions. Further, expressing an opinion on legislation is usually restricted to members of the legal profession.
- Criteria established by entities that did not follow due process—These include relevant criteria developed by other entities that did not follow due process and have not been subject to public consultation and debate.
- Criteria developed specifically for the audit engagement—While criteria developed specifically for the audit engagement may be appropriate, take particular care to ensure that these criteria are suitable, especially objective, complete and measurable. Criteria developed specifically for an audit engagement are in the form of assertions. They are usually developed to pertain to the needs of a specific user. For example, various frameworks can be used as established criteria for evaluating the effectiveness of the internal control system; a certain user, however, may develop a set of criteria that meets specific needs, e.g., a hierarchy of authorised approvals. Professionals should clearly mention in the audit report that certain criteria are developed specifically for the audit engagement. They should consider if the developed criteria could mislead the intended user and, if required, provide more information on the criteria. Whereas these criteria were developed by management, external confirmation should be sought and mentioned in the report, as described in 2.3.2.
2.5 Change in Criteria During the Audit Engagement
2.5.1 As the audit progresses, additional information and insight on the subject matter may result in a change of selected criteria:
- Certain criteria might not be needed anymore to achieve the audit objective. In these circumstances, further audit work related to the criteria is not necessary.
- There might be a need for extra criteria to achieve the audit objective. In these circumstances, extra criteria will be selected and audit work related to the criteria will be conducted.
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
3.1 Linkage to Standards
The table provides an overview of:
- The most relevant ISACA standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Note: Only those standard statements relevant to this guideline are listed.
Relevant Standard Statements
||IS audit and assurance professionals shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.|
||IS audit and assurance professionals shall select criteria, against which the subject matter will be assessed, that are objective, complete, relevant, measureable, understandable, widely recognised, authoritative and understood by, or available to, all readers and users of the report.|
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
- COBIT 5 processes
- COBIT 5 process purpose
COBIT 5 Process
|EDM01 Ensure governance framework setting and maintenance.
||Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise’s strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for the board members are met.|
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.|
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance, when considered necessary. This could be from IS audit and assurance:
- Colleagues from within the organisation and/or outside the enterprise, e.g., through professional associations or professional social media groups
- Governance bodies within the organisation, e.g., audit committee
- Other guidance (e.g., books, papers, other guidelines)
||Any formal declaration or set of declarations about the subject matter made by management|
Assertions should usually be in writing and commonly contain a list of specific attributes about the specific subject matter or about a process involving the subject matter.
||The standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter|
Criteria should be:
In an attestation engagement, benchmarks against which management's written assertion on the subject matter can be evaluated. The practitioner forms a conclusion concerning subject matter by referring to suitable criteria.
- Objective—Free from bias
- Complete—Include all relevant factors to reach a conclusion
- Relevant—Relate to the subject matter
- Measurable—Provide for consistent measurement
||The application of relevant knowledge and experience in making informed decisions about the courses of action that are appropriate in the circumstances of the IS audit and assurance engagement|
||The specific information subject to an IS auditor’s report and related procedures, which can include things such as the design or operation of internal controls and compliance with privacy practices or standards or specified laws and regulations (area of activity).|
5. Effective Date
5.1 Effective Date
This revised guideline is effective for all IS audit and assurance engagements beginning on or after 1 September 2014.