The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 The purpose of this guideline is to provide IS audit and assurance professionals with guidance on how to deal with irregularities and illegal acts.
1.1.2 The guideline details the responsibilities of both management and IS audit and assurance professionals with regards to irregularities and illegal acts. It furthermore provides guidance on how to deal with irregularities and illegal acts during the planning and performance of the audit work. Finally, the guideline suggests good practices for internal and external reporting on irregularities and illegal acts.
1.1.3 IS audit and assurance professionals should consider this guideline when determining how to implement the standards, use professional judgement in their application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1005 Due Professional Care
1.2.2 Standard 1201 Engagement Planning
1.2.3 Standard 1202 Risk Assessment in Planning
1.2.4 Standard 1207 Irregularity and Illegal Acts
1.2.5 Standard 1401 Reporting
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 Irregularities and illegal acts
2.2 Responsibilities of management
2.3 Responsibilities of the professionals
2.4 Irregularities and illegal acts during engagement planning
2.5 Designing and reviewing engagement procedures
2.6 Responding to irregularities and illegal acts
2.7 Internal reporting
2.8 External reporting
2.1 Irregularities and Illegal Acts
2.1.1 Irregularities and illegal acts can directly impact an enterprise in many (negative) ways, affecting finances and reputation, as well as indirectly affecting productivity and the retention of employees. Therefore, it is important that enterprises have awareness, prevention and detection mechanisms in place to identify irregularities and illegal acts quickly. Irregularities and illegal acts are more likely to occur in areas where there are non-existent, poorly designed or malfunctioning controls.
2.1.2 Irregularities and illegal acts can be committed by an employee at any level within the enterprise and may include activities such as, but not limited to:
2.1.3 The determination of whether a particular act is illegal generally would be based on the advice of an informed expert qualified to practice law or may have to await final determination by a court of law. Professionals should be concerned primarily with the effect or potential effect of the irregular action, irrespective of whether the act is suspected or proven as illegal.
- Fraud, which is any act involving the use of deception to obtain illegal advantage
- Deliberate misrepresentation of facts with the aim of gaining illegal advantage or hiding irregularities or illegal acts
- Acts that involve non-compliance with laws and regulations, including the failure of IT systems to meet applicable laws and regulations
- Unauthorised disclosure of data that is subject to privacy laws
- Acts that involve non-compliance with enterprise agreements and contracts with third parties, such as banks, suppliers, vendors, service providers and stakeholders
- Manipulation, falsification, forgery or alteration of records or documents (whether in electronic or paper form)
- Suppression or omission of the effects of transactions from records or documents (whether in electronic or paper form)
- Inappropriate or deliberate leakage of confidential information
- Recording of transactions in financial or other records (whether in electronic or paper form) that lack substance and are known to be false (e.g., false disbursement, payroll fraud, tax evasion)
- Misappropriation and misuse of assets
- Skimming or defalcation, which is the misappropriation of cash before it is recorded in the financial records of an enterprise
- Acts, whether intentional or unintentional, that violate intellectual property (IP) rights, such as copyright, trademark or patents
- Granting unauthorised access to information and systems
- Errors in financial or other records that arise due to unauthorised access to data and systems
2.1.4 Not all irregularities should be considered fraudulent activities. The determination of fraudulent activities depends on the legal definition of fraud in the respective jurisdiction. Fraudulent irregularities include, but are not limited to:
Non-fraudulent irregularities may include:
- Deliberate circumvention of controls with the intent to conceal the perpetuation of fraud
- Unauthorised use of assets or services
- Abetting or helping to conceal these types of activities
- Intentional violations of established management policy
- Intentional violations of regulatory requirements
- Deliberate misstatements or omissions of information concerning the area under audit or the enterprise as a whole
- Gross negligence
- Unintentional illegal acts
2.2 Responsibilities of Management
2.2.1 It is primarily management’s and the board’s responsibility to provide controls to deter, prevent and detect irregularities and illegal acts.
2.2.2 Management typically uses the following means to obtain reasonable assurance that irregularities and illegal acts are deterred, prevented or detected in a timely manner:
2.2.3 Management should disclose to professionals its knowledge of any irregularities or illegal acts and areas affected, whether alleged, suspected or proven, and the action, if any, taken by management.
- Designing, implementing and maintaining internal control systems to prevent and detect irregularities or illegal acts. Internal controls include transaction review and approval, and management review procedures.
- Policies and procedures governing employee conduct
- Compliance validation and monitoring procedures
- Designing, implementing and maintaining suitable systems for the reporting, recording and management of incidents relating to irregularities or illegal acts
- Policies and procedures governing compliance and regulatory requirements
2.2.4 Where an act of irregularity or illegal nature is alleged, suspected or detected, management should aid the process of investigation and inquiry.
2.3 Responsibilities of the Professionals
2.3.1 Professionals should consider defining in the audit charter the responsibilities of management and IS audit and assurance management with respect to preventing, detecting and reporting irregularities, so that these are clearly understood for all audit work. Where these responsibilities are already documented in enterprise policy or a similar document, the audit charter should include a statement to that effect.
2.3.2 Professionals should understand that control mechanisms cannot completely eliminate the possibility of irregularities or illegal acts occurring. Professionals are responsible for assessing the risk of irregularities or illegal acts occurring, evaluating the impact of identified irregularities, and designing and performing tests that are appropriate for the nature of the audit assignment.
2.3.3 Professionals are not responsible for the prevention or detection of irregularities or illegal acts. An audit engagement cannot guarantee that irregularities will be detected. Even when an audit is planned and performed appropriately, irregularities could go undetected, e.g., if there is collusion between employees, collusion between employees and outsiders, or management involvement in the irregularities. The aim is to determine the control is in place, adequate, effective and complied with.
2.3.4 Where professionals have specific information about the existence of an irregularity or illegal act, they have an obligation to report it.
2.3.5 Professionals should inform management and those charged with governance when they have identified situations where a higher level of risk exists for a potential irregularity or illegal act, even if none is detected.
2.3.6 Professionals should be reasonably familiar with the area under review to be able to identify risk factors that may contribute to the occurrence of irregular or illegal acts.
2.4 Irregularities and Illegal Acts During Engagement Planning
2.4.1 Professionals should assess the risk of occurrence of irregularities or illegal acts connected with the area under audit following the use of the appropriate methodology. In preparing this assessment, professionals should consider factors such as:
2.4.2 As part of the planning process and performance of the risk assessment, professionals should inquire of management, and obtain written representations if appropriate, with regard to such things as:
- Organisational characteristics, e.g., corporate ethics, organisational structure, adequacy of supervision, compensation and reward structures, the extent of corporate performance pressures, enterprise direction
- The history of the enterprise, past occurrences of irregularities, and the activities subsequently taken to mitigate or minimise the findings related to irregularities
- Recent changes in management, operations or IS systems and the current strategic direction of the enterprise
- Impacts resulting from new strategic partnerships
- The types of assets held or services offered, and their susceptibility to irregularities
- Evaluation of the strength of relevant controls and vulnerabilities to circumvent or bypass established controls
- Applicable regulatory or legal requirements
- Internal policies such as a whistle-blower policy, insider trading policy, and employee and management code of ethics
- Stakeholder relations and financial markets
- Human resources capabilities
- Confidentiality and integrity of market-critical information
- Audit findings from previous audits
- The industry and competitive environment in which the enterprise operates
- Findings of reviews conducted outside the scope of the audit, such as findings from consultants, quality assurance teams or specific management investigations
- Findings that have arisen during the day-to-day course of business
- Existence of process documentation and/or a quality management system
- The technical sophistication and complexity of the information system(s) supporting the area under audit
- Existence of in-house developed/maintained application systems for core business systems compared with packaged software
- The effect of employee dissatisfaction
- Potential layoffs, outsourcing, divestiture or restructuring
- The existence of assets that are easily susceptible to misappropriation
- Poor organisational financial and/or operational performance
- Management’s attitude with regard to ethics
- Irregularities and illegal acts that are common to a particular industry or have occurred in similar organisations
- Their understanding regarding the level of risk of irregularities and illegal acts in the organisation
- Whether they have knowledge of irregularities and illegal acts that have or could have occurred against or within the organisation
- Management responsibility for designing and implementing internal controls to prevent irregularities and illegal acts
- How the risk of irregularities or illegal acts is monitored or managed
- What processes are in place to communicate about alleged, suspected or existent irregularities or illegal acts to appropriate stakeholders
- Applicable national and regional laws in the jurisdiction in which the organisation operates and the extent of coordination the legal department has with the risk committee and/or audit committee
2.5 Designing and Reviewing Engagement Procedures
2.5.1 While professionals have no explicit responsibility to detect or prevent illegal acts or irregularities, they should design procedures for the audit engagement that take into account the level of risk for irregularities and illegal acts that has been identified.
2.5.2 Professionals should use the results of the risk assessment to determine the nature, timing and extent of the testing required to obtain sufficient audit evidence of reasonable assurance that the following are identified:
2.5.3 Professionals should review the results of engagement procedures to determine whether there are indications that irregularities or illegal acts may have occurred. Using computer assisted audit techniques (CAATs) could aid significantly in the effective and efficient detection of irregularities or illegal acts.
- Irregularities that could have a material effect on the area under audit, or on the enterprise as a whole
- Control weaknesses that would fail to prevent or detect material irregularities
- All significant deficiencies in the design or operation of internal controls that could potentially affect the issuer’s ability to record, process, summarise and report business data
2.5.4 When this evaluation is performed, risk factors identified in 2.4.1 should be reviewed against the actual procedures performed to provide reasonable assurance that all identified risk has been addressed.
2.6 Responding to Irregularities and Illegal Acts
2.6.1 During an audit engagement, indications of the existence of irregularities or illegal acts may come to the attention of professionals. They should consider the potential effect of the irregularities or illegal acts on the subject matter of the engagement, the audit objectives, the audit engagement report and the enterprise.
2.6.2 Professionals should demonstrate an attitude of professional scepticism. Indicators (sometimes called ‘Fraud or Red Flags’) of persons committing irregularities or illegal acts are:
Professionals should pay close attention when noticing these behaviours.
- Overrides of controls by management
- Irregular or poorly explained management behaviour
- Consistently over performing, compared to set targets
- Problems with, or delays in, receiving requested information or evidence
- Transactions not following the normal approval cycles
- Increase in activity of a certain customer
- Increase in complaints from customers
- Deviating access controls for some applications or users
2.6.3 When professionals become aware of information concerning a possible irregularity or illegal act, they should consider taking the following steps after direction from the appropriate legal authority:
2.6.4 Professionals should then consult with audit management to determine their next actions which may involve reporting the ‘event’ to enterprise management, passing further action to internal fraud investigators, and/or reporting to law enforcement or regulators.
- Obtain an understanding of the nature of the act
- Understand the circumstances in which the act occurred
- Gather evidence of the occurrence of the act (e.g., letters, system records, computer files, security logs, customer of vendor information)
- Identify all persons involved in committing the act
- Obtain sufficient supportive information to evaluate the effect of the act
- Perform limited additional procedures to determine the effect of the act and whether additional acts exist
- Document and preserve all evidence and work performed
2.6.5 When an irregularity involves a member of management, professionals should reconsider the reliability of representations made by management. Typically, professionals should work with an appropriate level of management above the one associated with the irregularity or illegal act.
2.7 Internal Reporting
2.7.1 The detection of irregularities and illegal acts should be communicated (in writing or orally) to the appropriate people in the enterprise in a timely manner by professionals. The notification should be directed to a level of management above that at which the irregularities and illegal acts are suspected to have occurred. In addition, irregularities and illegal acts should be reported to those charged with governance in the enterprise, such as the board of directors, trustees, audit committee or equivalent body, except for matters that are clearly insignificant in terms of both financial effect and indications of control weaknesses.
If professionals suspect that all levels of management are involved, then the findings should be confidentially reported directly to those charged with enterprise governance, such as the board of directors, trustees, audit committee or equivalent body, according to the local applicable laws and regulations. Local laws and regulations may prohibit reporting to parties other than the prescribed legal authority.
2.7.2 Professionals should use professional judgement when reporting an irregularity or illegal act. They should discuss the findings and the nature, timing and extent of any further procedures to be performed with an appropriate level of management that is at least one level above the persons who appear to be involved. In these circumstances, it is particularly important that professionals maintain their independence.
2.7.3 The individuals included in the internal distribution of reports of irregularities or illegal acts should be considered carefully. The occurrence and effect of irregularities or illegal acts is a sensitive issue and report distribution carries its own risk, including:
2.7.4 Professionals should consider reporting the irregularity or illegal act separately from any other audit issues if this would assist in controlling the distribution of the report.
- Further abuse of the control weaknesses as a result of publishing details of them
- Loss of customers, suppliers and investors when disclosure (authorised or unauthorised) occurs outside the enterprise
- Loss of key staff and management, including those not involved in the irregularity or illegal act, because confidence in management and the future of the enterprise decreases
2.7.5 Professionals should seek to avoid alerting any person who may be implicated or involved in the irregularity or illegal act, to reduce the potential for those individuals to destroy or suppress evidence.
2.7.6 The audit charter should define professionals’ responsibilities with regards to reporting irregularities or illegal acts.
2.8 External Reporting
2.8.1 External reporting of fraud, irregularity or illegal acts may be a legal or regulatory obligation. The obligation may apply to enterprise management or the individuals involved in detecting the irregularities, or both. Legal reporting requirements for the auditor are subject to local jurisdiction and supercede internal policy and/or contractual agreements. Additional situations that may require external reporting include:
2.8.2 Where external reporting is required, prior to external release the form and content of the information reported should be approved by the appropriate level of IS audit and assurance management and reviewed with auditee executive management, unless prevented by applicable regulations or specific circumstances of the audit engagement. Examples of specific circumstances that may prevent obtaining auditee executive management’s agreement include:
- Compliance with legal or regulatory requirements
- Court order
- Funding agency or government agency in accordance with requirements for the audits of entities that receive governmental financial assistance
- External auditor requests
2.8.3 If auditee executive management does not agree to the external release of the report, and external reporting is a statutory or a regulatory obligation, then professionals should consider consulting the audit committee and legal counsel about the advisability and risk of reporting the findings outside the enterprise. Even in situations where professionals are protected by privilege, they should seek legal advice and counsel prior to making this type of disclosure to ensure that they are in fact protected by this privilege.
- Auditee executive management's active involvement in the irregularity or illegal act
- Auditee executive management's passive acquiescence to the irregularity or illegal act
2.8.4 Professionals, with the approval of IS audit and assurance management, should report irregularities or illegal acts to appropriate regulators on a timely basis. If the enterprise fails to disclose a known irregularity or illegal act or requires professionals to suppress these findings, professionals should seek legal advice and counsel.
2.8.5 If an irregularity or illegal act has been detected by professionals, then they should inform the external auditors in a timely manner.
2.8.6 Where professionals are aware that management is required to report fraudulent activities to an outside organisation, the professionals should formally advise management of this responsibility.
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:3.1 Linkage to Standards The table provides an overview of:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
- The most relevant ISACA Standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Note: Only those standard statements relevant to this guideline are listed.
Relevant Standard Statements
|1005 Due Professional Care
||IS audit and assurance professionals shall exercise due professional care, including observance of applicable professional audit standards, in planning, performing and reporting on the results of engagements.|
|1201 Engagement Planning
||IS audit and assurance professionals shall plan each IS audit and engagement to address:
- Objective(s), scope, timeline and deliverables
- Compliance with applicable laws and professional auditing standards
- Use of a risk-based approach, where appropriate
- Engagement-specific issues
- Documentation and reporting requirements
|1202 Risk Assessment in Planning
||The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.|
IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements.
IS audit and assurance professionals shall consider subject matter risk, audit risk and related exposure to the enterprise.
|1207 Irregularity and Illegal Acts
||IS audit and assurance professionals shall consider the risk of irregularities and illegal acts during the engagement.|
IS audit and assurance professionals shall maintain an attitude of professional scepticism during the engagement.
IS audit and assurance professionals shall document and communicate any material irregularities or illegal act to the appropriate party in a timely manner.
||IS audit and assurance professionals shall ensure findings in the audit report are supported by sufficient, reliable and relevant evidence.|
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
- COBIT 5 processes
- COBIT 5 process purpose
COBIT 5 Process
|EDM03 Ensure risk optimisation.
||Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.|
|APO12 Manage risk.
||Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.|
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.|
|MEA03 Monitor, evaluate and assess compliance with external requirements.
||Ensure that the enterprise is compliant with all applicable external requirements.|
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance when considered necessary. This could be from IS audit and assurance:
- Colleagues from within the enterprise
- Governance bodies within the enterprise, e.g., audit committee
- Professional organisations
- Other professional guidance (e.g., books, papers, other guidelines)
||Violation of an established management policy or regulatory requirement. It may consist of deliberate misstatements or omission of information concerning the area under audit or the enterprise as a whole gross negligence or unintentional illegal acts.|
||An attitude that includes a questioning mind and a critical assessment of audit evidence. Source: American Institute of Certified Public Accountants (AICPA) AU 230.07 |
5. Effective Date
5.1 Effective Date
This revised guideline is effective for all IS audit/assurance engagements beginning on or after 1 September 2014.