The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 This guideline provides guidance to the IS audit and assurance professionals. Adequate planning helps to ensure that appropriate attention is devoted to important areas of the audit, potential problems are identified and resolved on a timely basis, and the audit engagement is properly organised, managed and performed in an effective and efficient manner.
1.1.2 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1201 Engagement Planning
1.2.2 Standard 1202 Risk Assessment in Planning
1.2.3 Standard 1203 Performance and Supervision
1.2.4 Standard 1204 Materiality
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 IS audit plan
2.3 Scope and business knowledge
2.4 Risk-based approach
2.5 Documenting the audit engagement project plan
2.6 Changes during the course of the audit
2.1 IS Audit Plan
2.1.1 For an audit function, a comprehensive risk-based IS audit plan should be developed and updated, at least annually. A multi-annual (three to five years) time horizon should be established and incorporated into the annual plan. The multi-annual and annual plans should act as a framework for IS audit and assurance activities and serve to address responsibilities set by the audit charter.
2.1.2 The IS audit plan should be prepared so that it is in compliance with any appropriate external requirements in addition to the current ISACA standards. .
2.1.3 Each audit engagement should be referenced either to the IS audit plan or state the specific mandate, objectives and other relevant aspects of the work to be performed.
2.2.1 Professionals should define the audit engagement objectives and document them in the audit engagement project plan, so that they will be performed in an effective manner. The engagement objectives should be established to address the risk associated with the activity under review.
2.2.2 Professionals should develop an audit engagement project plan that takes into consideration the objectives of the audit engagement. These objectives might influence the audit engagement, e.g., resources needed, timeline and deliverables.
2.3 Scope and Business Knowledge
2.3.1 Before beginning an audit engagement, the work of professionals should be planned in a manner appropriate for meeting the audit objectives. As part of the planning process, professionals should obtain an understanding of the enterprise and its processes. This will assist them in determining the significance of the resources being reviewed as they relate to the objectives of the enterprise. In this way, professionals can focus on the areas most sensitive to fraudulent or inaccurate practices. They should establish the scope of the audit work and also perform a preliminary assessment of the internal controls over the function being reviewed.
2.3.2 Professionals should gain an understanding of the types of personnel, events, transactions and practices that can have a significant effect on the specific enterprise, function, process or data that is the subject of the audit engagement. Knowledge of the enterprise should include the business and financial risk facing the enterprise as well as conditions in the enterprise marketplace and the extent to which the enterprise relies on outsourcing to meet its objectives. Professionals should use this information in identifying potential problems, formulating the objectives and scope of the work, performing the work, and considering actions of management for which they should be alert.
2.4 Risk-based Approach
2.4.1 Professionals should develop an audit engagement project plan to reduce audit risk to an acceptable level.
2.4.2 A risk assessment should be performed to provide reasonable assurance that all material items will be covered adequately during the audit engagement and that professionals will be able to come to a conclusion. This assessment should identify areas with relatively high probability of material problems.
2.4.3 A risk assessment and prioritisation of identified risk for the area under review and the enterprise IS environment should be carried out to the extent necessary.
2.4.4 Normally in the planning process, professionals should establish levels of planning materiality such that the audit work will be sufficient to meet the audit objectives and will use audit resources efficiently. For example, in the review of an existing system, professionals should evaluate materiality of the various components of the system in planning the audit engagement for the work to be performed. Both qualitative and quantitative aspects should be considered in determining materiality.
2.4.5 Before beginning an audit engagement and in the course of the audit, the professionals should consider compliance with applicable laws and professional auditing standards.
2.4.6 When professionals evaluate internal controls for the purpose of placing reliance on control procedures in support of information being gathered as part of a larger audit exercise (such as an audit of historical financial information), they should, as a rule, make a preliminary evaluation of the controls and develop the audit engagement project plan on the basis of this evaluation.
2.5 Documenting the Audit Engagement Project Plan
2.5.1 Professionals’ work papers should include the audit engagement project plan.
2.5.2 A clear project definition is a critical success factor to ensure project effectiveness and efficiency. An audit engagement project plan should include in the terms of reference items such as:
2.5.3 The project plan should include the requirements related to the timeline of the audit engagement, such as the period covered and the different completion dates, to perform the audit engagement within the agreed-on schedule. This also includes budgetary expenditure.
- Areas to be audited
- Type of work planned
- High-level objectives and scope of the work
- Fact-finding interviews to be conducted
- Relevant information to be obtained
- Procedures to verify or validate the information obtained and their use as audit evidence
- General topics, e.g.:
- Resource availability and allocation
- Schedule dates
- Type of report
- Intended audience
- Specific topics, e.g.:
- Identification of tools needed for gathering evidence, performing tests and preparing/summarising information for reporting
- Assessment criteria to be used
- Reporting requirements and distribution
- Other general aspects of the work, when applicable
2.5.4 Professionals should ensure full coverage of the required competencies by the resources of the audit engagement. They should set up an audit engagement team that has the right skills, knowledge and experience to successfully complete the audit engagement. The professionals should make sure to assign the different roles and responsibilities to the IS audit team members that best match with their competencies. For more information refer to Standard 1203 Performance and Supervision.
2.5.5 The audit engagement project plan should list all deliverables that are linked to the audit engagement.
2.5.6 The audit engagement project plan and any subsequent changes to this plan should be approved by the IS audit and assurance management.
2.5.7 After approval by the IS audit and assurance management, parts of the audit engagement project plan (e.g., scope, timeline, document requirements, interview schedule) should be timely communicated towards the auditees for them to provide appropriate and complete access and availability to the needed documents and resources.
2.6 Changes During the Course of the Audit
2.6.1 The audit engagement project plan should be updated and changed as necessary during the course of the audit engagement.
2.6.2 Planning an audit engagement is a continual and iterative process. As a result of unexpected events, changes in conditions or the audit evidence obtained, professionals may need to modify the planned nature, timing and extent of further audit procedures.
2.6.3 The audit plan should consider the possibility of unexpected events that imply risk for the enterprise. Accordingly, the audit engagement project plan should be able to prioritise such events within the audit and assurance processes based on risk.
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
3.1 Linkage to Standards
The table provides an overview of:
- The most relevant ISACA standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Note: Only those standard statements relevant to this guideline are listed.
Relevant Standard Statements
|1201 Engagement Planning
||IS audit and assurance professionals shall plan each IS audit and assurance engagement to address:
IS audit and assurance professionals shall develop and document an IS audit or assurance engagement project plan, describing the:
- Objective(s), scope, timeline and deliverables
- Compliance with applicable laws and professional auditing standards
- Use of a risk-based approach, where appropriate
- Engagement-specific issues
- Documentation and reporting requirements
- Engagement nature, objectives, timeline and resource requirements
- Timing and extent of audit procedures to complete the engagement
|1202 Risk Assessment in Planning
||The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.|
IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements.
|1203 Performance and Supervision
||IS audit and assurance professionals shall conduct the work in accordance with the approved IS audit plan to cover identified risk and within the agreed-on schedule.|
||IS audit and assurance professionals shall consider potential weaknesses or absences of controls while planning an engagement, and whether such weaknesses or absences of controls could result in a significant deficiency or a material weakness.|
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
- COBIT 5 processes
- COBIT 5 process purpose
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
COBIT 5 Process
|MEA01 Monitor, evaluate and assess performance and conformance.
||Provide transparency of performance and conformance and drive achievement of goals.|
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.|
|MEA03 Monitor, evaluate and assess compliance with external requirements.
||Ensure that the enterprise is compliant with all applicable external requirements.|
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance, when considered necessary. This could be from IS audit and assurance:
- Colleagues from within the organisation and/or outside the enterprise, e.g., through professional associations or professional social media groups
- Governance bodies within the organisation, e.g., audit committee
- Other guidance (e.g., books, papers, other guidelines)
- A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion. Scope Notes: Includes the areas to be audited, the type of work planned, the high-level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience and other general aspects of the work
- A high-level description of the audit work to be performed in a certain period of time.
||The risk of reaching an incorrect conclusion based upon audit findings. The three components of audit risk are:
- Control risk
- Detection risk
- Inherent risk
||An audit concept regarding the importance of an item of information with regard to its impact or effect on the subject matter being audited. An expression of the relative significance or importance of a particular matter in the context of the engagement or the enterprise as a whole.|
||A process used to identify and evaluate risk and its potential effects. |
Risk assessments are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan.
Risk assessments are also used to manage the project delivery and project benefit risk.
5. Effective Date
5.1 Effective Date
This revised guideline is effective for all IS audit and assurance engagements beginning on or after 1 September 2014.