ISACA Member and Certification Holder Compliance
The specialised nature of IT audit and assurance and the skills necessary to perform such audits require standards that apply specifically to IT audit and assurance. One of the goals of ISACA® is to advance globally applicable standards to meet its vision. The development and dissemination of the IT Audit and Assurance Standards are a cornerstone of the ISACA professional contribution to the audit and assurance community. The framework for the IT Audit and Assurance Standards provides multiple levels of guidance:
COBIT® is an IT governance framework and supporting tool set that allows managers to bridge the gaps amongst control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout enterprises. It emphasises regulatory compliance, helps enterprises increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework’s concepts. COBIT is intended for use by business and IT management as well as IT audit and assurance professionals; therefore, its usage enables the understanding of business objectives and communication of good practices and recommendations to be made around a commonly understood and well-respected framework. COBIT is available for download on the ISACA web site, www.isaca.org/cobit.
Links to current guidance are posted on the standards page, www.isaca.org/standards.
The titles of issued standards documents are:
IT Audit and Assurance StandardsS1 Audit Charter Effective 1 January 2005S2 Independence Effective 1 January 2005S3 Professional Ethics and Standards Effective 1 January 2005S4 Professional Competence Effective 1 January 2005S5 Planning Effective 1 January 2005S6 Performance of Audit Work Effective 1 January 2005S7 Reporting Effective 1 January 2005S8 Follow-up Activities Effective 1 January 2005S9 Irregularities and Illegal Acts Effective 1 September 2005S10 IT Governance Effective 1 September 2005S11 Use of Risk Assessment in Audit Planning Effective 1 November 2005S12 Audit Materiality Effective 1 July 2006S13 Using the Work of Other Experts Effective 1 July 2006S14 Audit Evidence Effective 1 July 2006S15 IT Controls Effective 1 February 2008S16 E-commerce Effective 1 February 2008
IT Audit and Assurance GuidelinesG1 Using the Work of Other Auditors and Experts Effective 1 March 2008 G2 Audit Evidence Requirement Effective 1 May 2008 G3 Use of Computer Assisted Audit Techniques (CAATs) Effective 1 March 2008 G4 Outsourcing of IS Activities to Other Organisations Effective 1 May 2008 G5 Audit Charter Effective 1 Februrary 2008 G6 Materiality Concepts for Auditing Information Systems Effective 1 May 2008 G7 Due Professional Care Effective 1 March 2008 G8 Audit Documentation Effective 1 March 2008G9 Audit Considerations for Irregularities Effective 1 March 2000G10 Audit Sampling Effective 1 March 2000G11 Effect of Pervasive IS Controls Effective 1 March 2000G12 Organisational Relationship and Independence Effective 1 September 2000G13 Use of Risk Assessment in Audit Planning Effective 1 September 2000G14 Application Systems Review Effective 1 November 2001G15 Planning Revised Effective 1 March 2002G16 Effect of Third Parties on an Organisation’s IT Controls Effective 1 March 2002G17 Effect of Nonaudit Role on the IS Auditor’s Independence Effective 1 July 2002G18 IT Governance Effective 1 July 2002G19 Irregularities and Illegal Acts Effective 1 July 2002G20 Reporting Effective 1 January 2003G21 Enterprise Resource Planning (ERP) Systems Review Effective 1 August 2003G22 Business-to-consumer (B2C) E-commerce Reviews Effective 1 August 2003G23 System Development Life Cycle (SDLC) Reviews Effective 1 August 2003G24 Internet Banking Effective 1 August 2003G25 Review of Virtual Private Networks Effective 1 July 2004G26 Business Process Reengineering (BPR) Project Reviews Effective 1 July 2004G27 Mobile Computing Effective 1 September 2004G28 Computer Forensics Effective 1 September 2004G29 Post-implementation Review Effective 1 January 2005G30 Competence Effective 1 June 2005G31 Privacy Effective 1 June 2005G32 Business Continuity Plan (BCP) Review From IT Perspective Effective 1 September 2005G33 General Considerations for the Use of the Internet Effective 1 March 2006G34 Responsibility, Authority and Accountability Effective 1 March 2006G35 Follow-up Activities Effective 1 March 2006G36 Biometric Controls Effective 1 February 2007G37 Configuration and Release Management Effective 1 November 2007G38 Access Controls Effective 1 February 2008G39 IT Organisation Effective 1 May 2008G40 Review of Security Management Practices Effective 1 December 2008G41 Return on Security Investment (ROSI) Effective 1 May 2010G42 Continuous Assurance Effective 1 May 2010
IT Audit and Assurance Tools and TechniquesP1 IS Risk Assessment Measurement Effective 1 July 2002P2 Digital Signatures and Key Management Effective 1 July 2002P3 Intrusion Detection Systems (IDS) Review Effective 1 August 2003P4 Malicious Logic Effective 1 August 2003P5 Control Risk Self-assessment Effective 1 August 2003P6 Firewalls Effective 1 August 2003P7 Irregularities and Illegal Acts Effective 1 December 2003P8 Security Assessment—Penetration Testing and Vulnerability Analysis Effective 1 Septtember 2004P9 Evaluation of Management Controls Over Encryption Methodologies Effective 1 January 2005P10 Business Application Change Control Effective 1 October 2006P11 Electronic Funds Transfer (EFT) Effective 1 May 2007
Standards for Information System Control ProfessionalsEffective 1 September 1999
Statement of Scope
.010 Responsibility, Authority and Accountability
.010 Professional Independence
.020 Organisational Relationship
Professional Ethics and Standards
.010 Code of Professional Ethics
.020 Due Professional Care
.010 Skills and Knowledge
.020 Continuing Professional Education
.010 Control Planning
Performance of Work
.010 Periodic Reporting
Code of Professional Ethics Revised May 2003
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.