IS Audit and Assurance Standard 1205 Evidence 


  Download the PDF Version

The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to the audit community.

IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:

  • IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
  • Management and other interested parties of the profession’s expectations concerning the work of practitioners
  • Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.

IS audit and assurance professionals should include a statement in their work, where appropriate, that the engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards.

The ITAF™ framework for the IS audit and assurance professional provides multiple levels of guidance:

  • Standards, divided into three categories:
    • General standards (1000 series)—Are the guiding principles under which the IS audit and assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. The standards statements (in bold) are mandatory.
    • Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
    • Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
  • Guidelines, supporting the standards and also divided into three categories:
    • General guidelines (2000 series)
    • Performance guidelines (2200 series)
    • Reporting guidelines (2400 series)
  • Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white papers, IS audit/assurance programmes, the COBIT 5 family of products

An online glossary of terms used in ITAF is provided at

Disclaimer:  ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or IS environment.

The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued internationally for general public comment. Comments may also be submitted to the attention of the director of professional standards development via email (, fax (+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).

ISACA 2012-2013 Professional Standards and Career Management Committee

Steven E. Sizemore, CISA, CIA, CGAP, Chairperson
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA
Murari Kalyanaramani, CISA, CISM, CRISC, CISSP, CBCP
Alisdair McKenzie, CISA, CISSP, ITCP
Katsumi Sakagawa, CISA, CRISC, PMP
Ian Sanderson, CISA, CRISC, FCA
Timothy Smith, CISA, CISSP, CPA
Rodolfo Szuster, CISA, CA, CBA, CIA
Texas Health and Human Services Commission, USA
HP Enterprises Security Services, UK
Myers and Stauffer LC, USA
British American Tobacco IT Services, Malaysia
IS Assurance Services, New Zealand
JIEC Co. Ltd., Japan
NATO, Belgium
LPL Financial, USA
Tarshop S.A., Argentina


IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the engagement results.

IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objectives.

Key Aspects

In performing an engagement, IS audit and assurance professionals should:

  • Obtain sufficient and Appropriate evidence, including:
    • The procedures as performed
    • The results of procedures performed
    • Source documents (in either electronic or paper format), records and corroborating information used to support the engagement
    • Findings and results of the engagement
    • Documentation that the work was performed and complies with applicable laws, regulations and policies
  • Prepare documentation, which should be:
    • Retained and available for a time period and in a format that complies with the audit or assurance organisation’s policies and relevant professional standards, laws and regulations
    • Protected from unauthorised disclosure or modification throughout its preparation and retention
    • Properly disposed of at the end of the retention period
  • Consider the sufficiency of the evidence to support the assessed level of control risk when obtaining evidence from a test of controls.
  • Appropriately identify, cross-reference and catalogue evidence.
  • Consider properties such as the source, nature (e.g., written, oral, visual, electronic) and authenticity (e.g., digital and manual signatures, stamps) of the evidence when evaluating its reliability.
  • Consider the most cost-effective and timely means of gathering the necessary evidence to satisfy the objectives and risk of the engagement. However, difficulty or cost is not a valid basis for omitting a necessary procedure.
  • Select the most appropriate procedure to gather evidence depending on the subject matter being audited (i.e., its nature, timing of the audit, professional judgement). Procedures used to obtain the evidence include:
    • Inquiry and confirmation
    • Reperformance
    • Recalculation
    • Computation
    • Analytical procedures
    • Inspection
    • Observation
    • Other generally accepted methods
  • Consider the source and nature of any information obtained to evaluate its reliability and further verification requirements. In general terms, evidence reliability is greater when it is:
    • In written form, rather than oral expressions
    • Obtained from independent sources
    • Obtained by the professional rather than by the entity being audited
    • Certified by an independent party
    • Kept by an independent party
    • The result of inspection
    • The result of observation
  • Obtain objective evidence that is sufficient to enable a qualified independent party to reperform the tests and obtain the same results and conclusions.
  • Obtain evidence commensurate with the materiality of the item and the risk involved.
  • Place due emphasis on the accuracy and completeness of the information when information obtained from the enterprise is used by the IS audit or assurance professional to perform audit procedures.
  • Disclose any situation where Sufficient evidence cannot be obtained in a manner consistent with the communication of the IS audit or assurance engagement results.
  • Secure evidence against unauthorised access and modification.
  • Retain evidence after completion of the IS audit or assurance work as long as necessary to comply with all applicable laws, regulations and policies.


Term Definition
Appropriate evidence The measure of the quality of the evidence
Sufficient evidence The measure of the quantity of evidence; supports all material questions to the audit objective and scope. See evidence.

Linkage to Guidelines

Type Title
Guideline 2205 Evidence

Operative Date

This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.