Standards, Guidelines, Tools and Techniques 

Download Article Article in Digital Form

The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to the audit community.

IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:
  • IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
  • Management and other interested parties of the profession’s expectations concerning the work of practitioners
  • Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.
ITAF™, 2nd Edition ( provides a framework for multiple levels of guidance:
  • IS Audit and Assurance Standards, divided into three categories:
    • General standards (1000 series)—Are the guiding principles under which the IS assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill.
    • Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
    • Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
  • IS Audit and Assurance, designed to directly support the standards and help practitioners achieve alignment with the standards. They follow the same categorisation as the standards (also divided into three categories):
    • General guidelines (2000 series)
    • Performance guidelines (2200 series)
    • Reporting guidelines (2400 series)
  • IS Audit and Assurance Tools and Techniques, provide additional guidance for IS audit and assurance professionals and consist, among other things, of white papers, IS audit/ assurance programmes, reference books, and the COBIT 5 family of products. Tools and techniques are listed under

An online glossary of terms used in ITAF is provided at

Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the control professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or IS environment.


IS Audit and Assurance Standards
(effective 1 November)

1001 Audit Charter
1002 Organisational Independence
1003 Professional Independence
1004 Reasonable Expectation
1005 Due Professional Care
1006 Proficiency
1007 Assertions
1008 Criteria

1201 Engagement Planning
1202 Risk Assessment in Planning
1203 Performance and Supervision
1204 Materiality
1205 Evidence
1206 Using the Work of Other Experts
1207 Irregularity and Illegal Acts

1401 Reporting
1402 Follow-up Activities

IS Audit and Assurance Guidelines
(in exposure)

Please note that the following list captures the structure and naming convention of the guidelines as they are being updated for integration into ITAF. An exposure draft of the revised guidelines is posted for comment on the ISACA web site (

2001 Audit Charter (G5)
2002 Organisational Independence (G12)
2003 Professional Independence (G17 and G34)
2004 Reasonable Expectation
2005 Due Professional Care (G7)
2006 Proficiency (G30)
2007 Assertions
2008 Criteria

2201 Engagement Planning (G15)
2202 Risk Assessment in Planning (G13)
2203 Performance and Supervision (G8)
2204 Materiality (G6)
2205 Evidence (G2)
2206 Using the Work of other Experts (G1)
2207 Irregularity and Illegal Acts (G9)
2208 Sampling (G10)

2401 Reporting (G20)
2402 Follow-up Activities (G35)

The ISACA Professional Standards and Career Management Committee (PSCMC) is dedicated to ensuring wide consultation in the preparation of ITAF standards and guidelines. Prior to issuing any document, an exposure draft is issued internationally for general public comment.

Comments may also be submitted to the attention of the Director of Professional Standards Development via email (; fax (+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).

Links to current and exposed ISACA Standards, Guidelines, and Tools and Techniques are posted at

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.