menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Overview & History
What's New
Certification
Education & Conferences
Standards
Research
Publications
Chapters
Membership
Bookstore
Downloads
COBIT
Risk IT
Career Centre
spacer image
Print this page
spacer image

Home

IS Auditing Standard

Irregularities and Illegal Acts
Document S9

PDF  Download this document in PDF format (122K)

Introduction

01 ISACA standards contain basic principles and essential procedures identified in bold type, which are mandatory, together with related guidance.
02 The purpose of this ISACA Standard is to establish and provide guidance on irregularities and illegal acts that the IS auditor should consider during the audit process.

Standard

03 In planning and performing the audit to reduce audit risk to a low level, the IS auditor should consider the risk of irregularities and illegal acts.
04 The IS auditor should maintain an attitude of professional skepticism during the audit, recognising the possibility that material misstatements due to irregularities and illegal acts could exist, irrespective of his/her evaluation of the risk of irregularities and illegal acts.
05 The IS auditor should obtain an understanding of the organisation and its environment, including internal controls.
06 The IS auditor should obtain sufficient and appropriate audit evidence to determine whether management or others within the organisation have knowledge of any actual, suspected or alleged irregularities and illegal acts.
07 When performing audit procedures to obtain an understanding of the organisation and its environment, the IS auditor should consider unusual or unexpected relationships that may indicate a risk of material misstatements due to irregularities and illegal acts.
08 The IS auditor should design and perform procedures to test the appropriateness of internal control and the risk of management override of controls.
09 When the IS auditor identifies a misstatement, the IS auditor should assess whether such a misstatement may be indicative of an irregularity or illegal act. If there is such an indication, the IS auditor should consider the implications in relation to other aspects of the audit and in particular the representations of management.
10 The IS auditor should obtain written representations from management at least annually or more often depending on the audit engagement. It should:

  • Acknowledge its responsibility for the design and implementation of internal controls to prevent and detect irregularities or illegal acts
  • Disclose to the IS auditor the results of the risk assessment that a material misstatement may exist as a result of an irregularity or illegal act
  • Disclose to the IS auditor its knowledge of irregularities or illegal acts affecting the organisation in relation to:
    – Management
    – Employees who have significant roles in internal control
  • Disclose to the IS auditor its knowledge of any allegations of irregularities or illegal acts, or suspected irregularities or illegal acts affecting the organisation as communicated by employees, former employees, regulators and others

11 If the IS auditor has identified a material irregularity or illegal act, or obtains information that a material irregularity or illegal act may exist, the IS auditor should communicate these matters to the appropriate level of management in a timely manner.
12 If the IS auditor has identified a material irregularity or illegal act involving management or employees who have significant roles in internal control, the IS auditor should communicate these matters in a timely manner to those charged with governance.
13 The IS auditor should advise the appropriate level of management and those charged with governance of material weaknesses in the design and implementation of internal control to prevent and detect irregularities and illegal acts that may have come to the IS auditor’s attention during the audit.
14 If the IS auditor encounters exceptional circumstances that affect the IS auditor’s ability to continue performing the audit because of a material misstatement or illegal act, the IS auditor should consider the legal and professional responsibilities applicable in the circumstances, including whether there is a requirement for the IS auditor to report to those who entered into the engagement or in some cases those charged with governance or regulatory authorities
or consider withdrawing from the engagement.
15 The IS auditor should document all communications, planning, results, evaluations and conclusions relating to material irregularities and illegal acts that have been reported to management, those charged with governance, regulators and others.

Commentary

16  The IS auditor should refer to IS Auditing Guideline G19, Irregularities and Illegal Acts, for a definition of what constitutes an irregularity and illegal act.
17 The IS auditor should obtain reasonable assurance that there are no material misstatements due to irregularities and illegal acts.  An IS auditor cannot obtain absolute assurance because of factors such as the use of judgement, the extent of testing and the inherent limitations of internal controls. Audit evidence available to the IS auditor during an audit should be persuasive in nature rather than conclusive.
18 The risk of not detecting a material misstatement resulting from an illegal act is higher than the risk of not detecting a material misstatement resulting from an irregularity or error, because illegal acts may involve complex schemes designed to conceal or hide events or intentional misrepresentations to the IS auditor.
19 The IS auditor’s previous experience and knowledge of the organisation should assist the IS auditor during the audit. When making inquiries and performing audit procedures, the IS auditor should not be expected to fully disregard past experience, but should be expected to maintain a level of professional scepticism. The IS auditor should not be satisfied with less than persuasive audit evidence based on a belief that management and those charged with governance are honest and have integrity. The IS auditor and the engagement team should discuss the organisation’s susceptibility to irregularities and illegal acts as part of the planning process and throughout the duration of the audit.

20  To evaluate the risk of material irregularities and illegal acts existence, the IS auditor should consider the use of:

  • His/her previous knowledge and experience with the organisation (including his/her experience about the honesty and integrity of management and those charged with governance)
  • Information obtained making inquiries of management
  • Management representations and internal control sign-offs
  • Other reliable information obtained during the course of the audit
  • Management’s assessment of the risk of irregularities and illegal acts, and its process for identifying and responding to these risks

21 The following guidance should be referred to for further information on irregularities and illegal acts:

  • IS Auditing Guideline G5, Audit Charter
  • COBIT Framework, control objective DS3, DS5, DS9, DS11 and PO6
  • Sarbanes-Oxley Act of 2002
  • Foreign Corrupt Practices Act 1977

Operative Date

23 This ISACA Standard is effective for all information systems audits beginning on or after 1 September 2005.

Back to Standards
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA