IS Auditing Guideline: G12 Organisational Relationship and Independence 

 
Follow us:
        

  Download (49K)

1. Background

1.1 Linkage to Standards

1.1.1 Standard S2 Independence states: ‘In all matters related to the audit, the IS auditor should be independent of the auditee in both attitude and appearance’.
1.1.2 Standard S2 Independence states: ‘The IS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment’.
1.1.3 Standard S3 Professional Ethics and Standards states: ‘The IS auditor should adhere to the ISACA Code of Professional Ethics’.

1.2 Linkage to COBIT

1.2.1 Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s control objectives and associated management practices. To meet the independence requirement of IS auditors, the processes in COBIT most likely to be relevant, selected and adapted are classified here as primary and secondary.
1.2.2 PO4 Define the IT processes, organisation and relationships satisfies the business requirement for IT of being agile in responding to the business strategy whilst complying with governance requirements and providing defined and competent points of contact by focusing on establishing transparent, flexible and responsive IT organisational structures and defining and implementing IT processes with owners, roles and responsibilities integrated into business and decision processes.
1.2.3 Secondary references:

  • ME2 Monitor and evaluate internal control
  • ME4 Provide IT governance
1.2.4 The information criteria most relevant are:
  • Primary: Effectiveness and efficiency
  • Secondary: Confidentiality, integrity, availability, compliance and reliability

1.3 Need for Guideline

1.3.1 The purpose of this guideline is to expand on the meaning of ‘independence’ as used in standard S2 and to address the IS auditor’s attitude and independence in IS auditing.
1.3.2 This guideline provides guidance in applying IS auditing standards. The IS auditor should consider it in determining how to achieve implementation of the above standards, use professional judgement in its application and be prepared to justify any departure.

2. Independence

2.1 Attitude

2.1.1 IS auditors should seek adherence to applicable codes of professional ethics and auditing standards in all of their work.
2.1.2 As per COBIT, the audit charter should ensure that the independence, authority and accountability of the audit function are maintained and established by appropriate members of the organisation’s management team.

3. Planning

3.1 Staffing

3.1.1 The IS auditor establishes many relationships with people involved in the audit activity and has the opportunity to explore the innermost aspects of the area being audited, often the whole organisation. The IS auditor’s attitude should always be appropriate to this role. Planning should take into account any known relationships.
3.1.2 IS auditors should not participate in an audit if their independence is impaired. For example, independence is impaired if IS auditors have some expectation of financial gain or other personal advantage due to their influence on the results of the audit. However, the IS auditors’ independence would not necessarily be impaired as a result of performing an audit of IS where their personal transactions occur in the normal course of business.
3.1.3 At the beginning of the audit, IS auditors may be required to sign a conflict-of-interest statement to declare their independence.

3.2 Prioritised Audit Plan

3.2.1 COBIT process ME4 states: ‘Management should provide for independent audit’. To achieve this objective, an audit plan should be established. This plan should verify that regular and independent assurance is obtained regarding the effectiveness, efficiency and economy of security and internal control procedures. Within this plan, management should determine priorities regarding obtaining independent assurance.

4. Performance of Audit Work

4.1 Organisation

4.1.1 IS auditors should be organisationally independent of the area being audited. Independence is impaired if the IS auditors have direct control over the area being audited. The IS auditors’ independence can also be impaired if the IS auditors have direct reporting responsibility to those individuals who have direct control over the area being audited. The IS auditors’ independence also may be impaired if IS auditors are required, for tracking purposes, to report their time expended in performing the audit, including progress, audit issues, etc., to the IT group responsible for those controls tested and who report the results to senior or executive management. This could be perceived as the IT group project managing the IS auditors and, thus, an impairment of the IS auditors’ independence. In addition, IS auditors should take into consideration if independence has been impaired in situations where the scope of work performed is based on requirements of the control process owners for business or regulatory purposes.
4.1.2 Independence should be regularly assessed by the IS auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. IS auditors should consider the use of control self-assessment techniques in this continuous assessment process.
4.1.3 Depending on the assignment, IS auditors can interview persons, analyse organisational processes, gain assistance from the organisation’s staff, etc. An IS auditor’s attitude and appearance of independence should always be adequate to meet these situations. IS auditors should be aware that the appearance of independence can be influenced by their actions or associations. Perceptions of the IS auditors’ independence could affect the acceptance of their work.
4.1.4 If IS auditors become aware that a situation or relationship is perceived to impair their independence, they should inform audit management of the perceived impairment as soon as possible.

4.2 Gathering Information

4.2.1 Amongst the various items needed to obtain an understanding of the organisation being audited, IS auditors, to preserve their independence, should review:

  • Organisation policies and procedures relating to the independent assurance process
  • Audit charter, mission statement, policies, procedures and standards, prior reports, and audit plans
  • The organisational chart

4.3 Controls Evaluation

4.3.1 IS audit plans should define the activities from which IS auditors are required to be independent. IS auditors’ independence from these activities should be regularly monitored by senior management, or by the person who determines and approves IS audit plans. This monitoring should include an assessment of the process for assigning individual IS auditors to specific assignments, to verify that this process assures independence and sufficient skills.
4.3.2 Verification of the IS auditors’ adherence to applicable professional codes of conduct should always be carried out. In many circumstances, this should be sufficient to provide audit evidence of independence. If there is an indication that an IS auditor’s independence has been compromised, a revision of the audit plan should be considered.

5. Reporting

5.1 Effect on Reporting

5.1.1 In circumstances where the IS auditor’s independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor’s independence should be disclosed to the appropriate management and in the report.

6. Effective Date

6.1 This guideline is effective for all IS audits beginning on or after 1 September 2000. The guideline has been reviewed and updated effective 1 August 2008.