IS Audit and Assurance Guideline 2203 Performance and Supervision 



The guideline is presented in the following sections:

  1. Guideline purpose and linkage to standards
  2. Guideline content
  3. Linkage to standards and COBIT 5 processes
  4. Terminology
  5. Effective date

1. Guideline Purpose and Linkage to Standards

1.0 Introduction

This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’

1.1 Purpose

1.1.1 This guideline provides guidance to IS audit and assurance professionals in performing the audit engagement and supervising IS audit team members. It covers:
  • Performing an audit engagement
  • Roles and responsibilities, required knowledge, and skills for performing audit engagements
  • Key aspects of supervision
  • Gathering evidence
  • Documenting work performed
  • Formulating findings and conclusions
1.1.2 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.

1.2 Linkage to Standards

1.2.1 Standard 1005 Due Professional Care
1.2.2 Standard 1006 Proficiency
1.2.3 Standard 1201 Engagement Planning
1.2.4 Standard 1203 Performance and Supervision
1.2.5 Standard 1205 Evidence
1.2.6 Standard 1401 Reporting

1.3 Term Usage

1.3.1 Hereafter:
  • ‘IS audit and assurance function’ is referred to as ‘audit function’
  • ‘IS audit and assurance professionals’ are referred to as ‘professionals’

2. Guideline Content

2.0 Introduction

The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 Performing the work
2.2 Roles and responsibilities, knowledge and skills
2.3 Supervision
2.4 Evidence
2.5 Documenting
2.6 Findings and conclusions

2.1 Performing the Work

2.1.1 Professionals shall plan and perform each audit engagement in accordance with the approved IS audit plan. Setting up an audit engagement project plan, as detailed in Standard 1201 Engagement Planning, allows professionals to understand all elements in scope, the required skills and knowledge to execute the audit engagement within the agreed-on schedule, while covering all identified risk.
2.1.2 The main tasks in performing an audit engagement include:
  • Planning and risk assessment—Professionals should conduct these activities in alignment with standards 1201 Engagement Planning and 1202 Risk Assessment in Planning.
  • Identifying controls—Based on the scope, audit objectives and main areas of risk identified in the IS audit plan, professionals should identify the controls in scope of the audit engagement.
  • Assessing controls and gathering evidence—Professionals should assess the controls in scope by gathering and analysing information and evidence on the design effectiveness and operating effectiveness of the controls, as described in Standard 1205 Evidence.
  • Documenting work performed and identifying findings—Professionals should document the work performed, record the information and evidence gathered and document any identified findings.
  • Confirming findings and following up on corrective actions—Professionals should confirm their findings with the auditee. Should the auditee perform corrective actions on the findings before the end of the audit engagement, professionals should include the actions taken in the documentation (and conclusion), but should also always mention the original findings.
  • Drawing conclusions and reporting—Professionals should draw conclusions and report about the impact of the findings on achieving the audit objectives, as detailed in Standard 1401 Reporting. Focusing only on the control findings, without assessing the impact on the audit objectives, is insufficient.

2.2 Roles and Responsibilities, Knowledge and Skills

2.2.1 Professionals in charge of the audit engagement should define and manage the roles and responsibilities of the IS audit team members throughout the engagement, addressing at a minimum:
  • Designing the methodology and approach
  • Creating audit work programmes
  • Defining execution and review roles
  • Dealing with issues, concerns and problems as they arise
  • Documenting and clearing the findings
  • Writing the report
2.2.2 Based on the engagement needs, professionals in charge should consider the required competencies for the specific audit engagement. They should set up an engagement team that has the combined skills, knowledge and experience to complete the audit engagement successfully. Professionals should make sure to assign those roles and responsibilities to the IS audit team members that best match their competencies.
2.2.3 Professionals should only accept roles, responsibilities and associated tasks that are within their knowledge and skills. Time and cost issues might prohibit professionals from acquiring all of the necessary knowledge and skills before the start of an audit engagement; therefore, professionals are allowed to accept roles, responsibilities and associated tasks if they have reasonable expectation that appropriate measures will be taken during the audit engagement to ensure successful completion. The following measures would allow for such a reasonable expectation:
  • Learning on the job—In certain circumstances, it will be possible for professionals to acquire the necessary skills and knowledge during the audit engagement.
  • Supervision—Professionals in charge could arrange for adequate supervision of the IS audit team members, allowing them to successfully achieve the task under supervision.
  • External resources—Professionals in charge could consider hiring external experts for those areas of the audit engagement that are lacking adequate internal knowledge and skills. Professionals in charge should consider promoting the development of internal IS audit team members by having them work closely with the external expert to assure a transfer of knowledge and skills to the team.
2.2.4 Guidance on acquiring, maintaining and monitoring required competencies is detailed in Standard 1006 Proficiency.

2.3 Supervision

2.3.1 Every task executed during an audit engagement by the IS audit team members should be supervised by professionals that have supervisory responsibilities over them, to ensure that audit objectives and applicable professional audit standards are met. The extent of supervision required will highly depend on the skills, knowledge and experience of professionals executing the task under review and on the complexity of the audit engagement.
2.3.2 Supervision is a process that is present in every step of the audit engagement. This includes:
  • Ensuring the IS audit team members have the combined skills, knowledge and experience to complete the audit engagement successfully
  • Ensuring an appropriate audit engagement project plan and audit work programme is set up and approved
  • Reviewing the audit engagement work papers
  • Ensuring audit engagement communication toward auditees and other relevant stakeholders is accurate, clear, concise, objective, constructive and timely
  • Ensuring that the approved audit engagement work programme is completed at the end of the audit engagement, unless changes were justified and approved beforehand, and the audit engagement objectives are met
  • Providing opportunities for IS audit team members to develop their skills and knowledge
2.3.3 Reviewing audit engagement work papers is required to ensure that all necessary audit procedures are performed, evidence gathered is sufficient and appropriate, and conclusions adequately support the engagement objectives and conclusion or opinion. Considering the objective of the review, this should be performed by IS audit team members having supervisory responsibilities over professionals who created the audit engagement work papers.
2.3.4 During the review process, reviewers should record questions as they arise. When professionals provide an answer or solution to questions raised, care should be taken to ensure that sufficient and appropriate evidence is retained to show that questions were raised, treated and answered.
2.3.5 Appropriate evidence of review should be documented and retained. Options to document evidence of performing a review consist of, but are not limited to:
  • Signing and dating each audit engagement work paper after review
  • Completing an audit engagement work paper review checklist
  • Preparing a signed document that provides a reference to the audit engagement work papers under review and detail the nature, timing, extent and result of the review
All of these options are valid both electronically and on hard copy.
2.3.6 Supervision allows for development and performance evaluation of professionals. Reviewers have a privileged view of the work performed by other IS audit team members, which allows for a detailed and adequate evaluation of their performance. The reviewers should point out areas of development and advise on ways to improve skills and knowledge.

2.4 Evidence

2.4.1 Professionals should obtain evidence that is sufficient and appropriate to form an opinion or support the conclusions and achieve the audit objectives. Determining whether evidence is sufficient and appropriate should be based on the importance of the audit objective and the effort involved in obtaining the evidence.
2.4.2 Professionals should obtain additional evidence if, in their judgement, the evidence obtained does not meet the criteria of being sufficient and appropriate to form an opinion or support the conclusions and achieve the audit objectives.
2.4.3 Professionals should select the most appropriate procedure to gather evidence, depending on the subject matter being audited.
2.4.4 Professionals should consider the source and nature of evidence obtained to evaluate its reliability and the need for further verification.
2.4.5 Appropriate analysis and interpretation should be performed by professionals to support the audit findings and form conclusions. Evidence and information received should be compared with expectations identified or developed by professionals. Professionals should be aware of:
  • Unexpected differences
  • The absence of differences when they were expected
  • Potential errors
  • Fraud or illegal acts
  • Non-compliance with laws or regulations
  • Unusual or nonrecurring activities
2.4.6 Should deviations from expectations be identified, professionals should ask management about the reasons for the difference. Should management’s explanation be adequate, according to professional judgement, professionals should modify their expectations and re-analyse the evidence and information.
2.4.7 Significant deviations not adequately explained by the auditee should result in audit findings and be communicated to executive management or those charged with governance. Depending on the circumstances, professionals could recommend appropriate action to be taken.
2.4.8 Detailed guidance on the different kinds of evidence, procedures to collect evidence, applicable sources, ways to assess evidence, etc., can be found in Standard 1205 Evidence.

2.5 Documenting

2.5.1 Professionals should prepare sufficient, appropriate and relevant documentation in a timely manner that provides a basis for the conclusion and contains evidence of the review performed. Sufficient, appropriate and relevant documentation should enable a prudent and informed person, with no previous connection to the audit engagement, to re-perform the tasks performed during the audit engagement and reach the same conclusion. Documentation should include:
  • Audit engagement objectives and scope of work
  • Audit engagement project plan
  • Audit work programme
  • Audit steps performed
  • Evidence gathered
  • Conclusions and recommendations
2.5.2 Documentation aids in planning, performing and reviewing audit engagements because it:
  • Identifies who of the IS audit team members performed each audit task and their role in preparing and reviewing the documentation
  • Records the evidences requested
  • Supports the accuracy, completeness and validity of the work performed
  • Provides support for the conclusions reached
  • Facilitates the review process
  • Documents whether the engagement objectives were reached
  • Provides the basis for quality improvement programmes
2.5.3 Ordinarily, a preliminary programme for review should be established by professionals before the start of the work. This audit programme should be documented in a manner that permits professionals to record completion of the audit work and identify work that remains to be done. As the work progresses, professionals should evaluate the adequacy of the audit programme based on information gathered during the audit engagement. When professionals determine that the planned procedures are not sufficient, they should modify the audit programme accordingly.
2.5.4 Performance and supervision activities should be documented in audit engagement work papers. The design and content of the audit engagement work papers varies depending on the circumstances of the particular audit engagement. IS audit and assurance management, however, should detail a limited number of standard template work papers for different types of audit engagements. Standard work papers improve the efficiency of the audit engagement and facilitate supervision. IS audit and assurance management should also determine the media carriers to be used, and storage and retention procedures for the work papers.
2.5.5 Professionals should ensure that documentation of the work performed is completed on a timely basis. All information and evidence required to form a conclusion or opinion should be obtained prior to the issue date of the audit report. Audit engagement work papers should include the date they were prepared and reviewed.
2.5.6 Audit engagement work papers are the property of the enterprise. IS audit and assurance management controls the work papers and provides access to authorised personnel. Access requests to audit engagement work papers by external auditors should be approved by executive management and those charged with governance. Access requests by external parties, other than external auditors, should be approved by executive management and those charged with governance, and advised by legal counsel.

2.6 Findings and Conclusions

2.6.1 Professionals should analyse the evidence and information gathered, as described in section 2.4.5. Significant deviations from expectation should result in findings. Professionals should confirm these findings with the auditee, as well as the impact of these findings on other aspects of the control environment.
2.6.2 Professionals can propose corrective actions to be taken, but will never execute them. Should the auditee perform corrective actions that remediate the original finding, before the end of the audit engagement, professionals should include the corrective actions taken in the documentation.
2.6.3 Professionals should conclude on the findings identified and assess their impact on the audit objectives. Conclusions should be formed on the original findings. If corrective actions have been performed, an addendum to the conclusion can be formulated explaining the corrective action and the impact of the corrective action on the original conclusion.
2.6.4 All the conclusions formulated and whether or not the audit objectives have been achieved should be documented in the audit engagement report. Detailed guidance on reporting can be found in Standard 1401 Reporting and Guideline 2401 Reporting.

3. Linkage to Standards and COBIT 5 Processes

3.0 Introduction

This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance

3.1 Linkage to Standards

The table provides an overview of:
• The most relevant ISACA Standards that are directly supported by this guideline
• Those standard statements that are most relevant to this guideline

Note: Only those standard statements relevant to this guideline are listed.

Standard Title
Relevant Standard Statements
1005 Due Professional Care IS audit and assurance professionals shall exercise due care, including observance of applicable professional audit standards, in planning, performing and reporting on the results of IS audit or assurance engagements.
1006 Proficiency IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate skills and proficiency in conducting IS audit and assurance engagements and be professionally competent to perform the work required.

IS audit and assurance professionals, collectively with others assisting with the assignment, shall possess adequate knowledge of the subject matter.

1201 Engagement Planning IS audit and assurance professionals shall plan each IS audit and assurance engagement to address:
  • Objective(s), scope, timeline and deliverables
  • Compliance with applicable laws and professional auditing standards
  • Use of a risk-based approach, where appropriate
  • Engagement-specific issues
  • Documentation and reporting requirements
IS audit and assurance professionals shall develop and document an IS audit or assurance engagement project plan, describing the:
  • Engagement nature, objectives, timeline and resource requirements
  • Timing and extent of audit procedures to complete the engagement
1203 Performance and Supervision IS audit and assurance professional shall conduct the work in accordance with the approved IS audit plan to cover identified risk and within the agreed-on schedule.

IS audit and assurance professionals shall provide supervision to IS audit staff whom they have supervisory responsibility for so as to accomplish audit objectives and meet applicable professional audit standards.

IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision.

IS audit and assurance professionals shall obtain sufficient, reliable, relevant and timely evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.

IS audit and assurance professionals shall document the audit process, describing the audit work and the audit evidence that supports findings and conclusions.

IS audit and assurance professionals shall identify and conclude on findings.
1205 Evidence IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the engagement results.

IS audit and assurance professionals shall evaluate the sufficiency of audit evidence obtained to support conclusions and achieve IS audit or assurance engagement objectives.
1401 Reporting IS audit and assurance professionals shall provide a report to communicate the results upon completion of the engagement including:
  • Identification of the enterprise, the intended recipients and any restrictions on content and circulation
  • The scope, engagement objectives, period of coverage and the nature, timing and extent of the work performed
  • The findings, conclusions, and recommendations
  • Any qualifications or limitations in scope that the IS audit and assurance professional has with respect to the engagement
  • Signature, date and distribution according to the terms of the audit charter or engagement letter.
IS audit and assurance professionals shall ensure findings in the audit report are supported by sufficient and appropriate audit evidence.

3.2 Linkage to COBIT 5 Processes

The table provides an overview of the most relevant:
  • COBIT 5 processes
  • COBIT 5 process purpose
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
COBIT 5 Process
Process Purpose
APO07 Manage human resources. Optimise human resources capabilities to meet enterprise objectives.
APO08 Manage relationships. Create improved outcomes, increased confidence, trust in IT and effective use of resources.
MEA02 Monitor, evaluate and assess the system of internal control. Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.

3.3 Other Guidance

When implementing standards and guidelines, professionals are encouraged to seek other guidance, when considered necessary. This could be from IS audit and assurance:
  • Colleagues from within the organisation and/or outside the enterprise, e.g., through professional associations or professional social media groups
  • Management
  • Governance bodies within the organisation, e.g., audit committee
  • Other guidance (e.g., books, papers, other guidelines)

4. Terminology

Control environment The attitude and actions of the board and management regarding the significance of control within the organisation.

The control environment provides discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:
  • Integrity and ethical values
  • Management philosophy and operating style
  • Organizational structure
  • Assignment of authority and responsibility
  • Human resource policies and practices
  • Competence of personnel
Source: International Standards for the Professional Practice of Internal Auditing, 2010
Design effectiveness If the company's controls are operated as prescribed by persons possessing the necessary authority and competence to perform the control effectively, satisfy the company's control objectives and can effectively prevent or detect errors or fraud that could result in material misstatements in the financial statements, they are considered to be designed effectively. Source: PCAOB, Auditing Standard No. 5, 2007
Operating effectiveness If a control is operating as designed and the person performing the control possesses the necessary authority and competence to perform the control effectively, the control is considered to be operating effectively. Source: PCAOB, Auditing Standard No. 5, 2007

5. Effective Date

5.1 Effective Date

This revised guideline is effective for all IS audit/assurance engagements beginning on or after 1 September 2014.