Download the PDF Version
The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to the audit community.
IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:
- IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
- Management and other interested parties of the profession’s expectations concerning the work of practitioners
- Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.
IS audit and assurance professionals should include a statement in their work, where appropriate, that the engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards.
The ITAF™ framework for the IS audit and assurance professional provides multiple levels of guidance:
- Standards, divided into three categories:
- General standards (1000 series)—Are the guiding principles under which the IS audit and assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. The standards statements (in bold) are mandatory.
- Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
- Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
- Guidelines, supporting the standards and also divided into three categories:
- General guidelines (2000 series)
- Performance guidelines (2200 series)
- Reporting guidelines (2400 series)
- Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white papers, IS audit/assurance programmes, the COBIT 5 family of products
An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or IS environment.
The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued internationally for general public comment. Comments may also be submitted to the attention of the director of professional standards development via email ([email protected]), fax (+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).
ISACA 2012-2013 Professional Standards and Career Management Committee
Steven E. Sizemore, CISA, CIA, CGAP, Chairperson
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA
Murari Kalyanaramani, CISA, CISM, CRISC, CISSP, CBCP
Alisdair McKenzie, CISA, CISSP, ITCP
Katsumi Sakagawa, CISA, CRISC, PMP
Ian Sanderson, CISA, CRISC, FCA
Timothy Smith, CISA, CISSP, CPA
Rodolfo Szuster, CISA, CA, CBA, CIA
Texas Health and Human Services Commission, USA
HP Enterprises Security Services, UK
Myers and Stauffer LC, USA
British American Tobacco IT Services, Malaysia
IS Assurance Services, New Zealand
JIEC Co. Ltd., Japan
LPL Financial, USA
Tarshop S.A., Argentina
IS audit and assurance professionals shall select criteria, against which the subject matter will be assessed, that are objective, complete, relevant, measurable, understandable, widely recognised, authoritative, and understood by, or available to, all readers and users of the report.
IS audit and assurance professionals shall consider the source of the criteria and focus on those issued by relevant authoritative bodies before accepting lesser-known criteria.
IS audit and assurance professionals should:
- Consider the selection of Criteria carefully and be able to justify the selection.
- Use professional judgement in ensuring that, if applied, the use of the criteria will enable the development of a fair and objective opinion or conclusion that will not mislead the reader or user. It is recognised that management might put forth criteria that do not meet all of the requirements.
- Consider the suitability and availability of criteria in determining the engagement requirements.
- Where criteria are not readily available, are incomplete or are subject to interpretation, include a description and any other information necessary to ensure that the report is fair, objective and understandable, and that the context in which the criteria are used is included in the report.
The suitability and appropriateness of subject matter assessment criteria should be assessed against the following five suitability criteria:
- Objectivity—Criteria should be free from bias that may adversely impact the professional’s findings and conclusions and, accordingly, may mislead the user of the report.
- Completeness—Criteria should be sufficiently complete so that all criteria that could affect the professional’s conclusions about the subject matter are identified and used in the conduct of the IS audit or assurance engagement.
- Relevance—Criteria should be relevant to the subject matter and contribute to findings and conclusions that meet the objectives of the IS audit or assurance engagement.
- Measurability—Criteria should permit consistent measurement of the subject matter and the development of consistent conclusions when applied by different professionals in similar circumstances.
- Understandability—Criteria should be communicated clearly and not be subject to significantly different interpretations by intended users.
The acceptability of criteria is affected by the availability of the criteria to users of the professional’s report, so that users understand the basis of the assurance activity and the relevance of the findings and conclusions. Sources may include those that are:
- Recognised—Criteria should be sufficiently well recognised so that their use is not questioned by intended users.
- Authoritative—Criteria should be sought that reflect authoritative pronouncements within the area and are appropriate for the subject matter. For example, authoritative pronouncements may come from professional bodies, industry groups, government and regulators.
- Publicly available—Criteria should be available to the users of the professional’s report. Examples include standards developed by professional accounting and audit bodies such as ISACA, International Federation of Accountants (IFAC), and other recognised government or professional bodies.
- Available to all users—Where criteria are not publicly available, they should be communicated to all users through assertions that form part of the professional’s report. Assertions consist of statements about the subject matter that meet the requirements of suitable criteria so that they can be audited.
In addition to suitability and availability, the selection of IS assurance criteria should also consider the source—in terms of their use and the potential audience. For example, when dealing with government regulations, criteria based on assertions developed from the legislation and regulations that apply to the subject matter may be most appropriate. In other cases, industry or trade association criteria may be relevant. Possible criteria sources, listed in order of consideration, are:
- Criteria established by ISACA—These are publicly available criteria and standards that have been exposed to peer review and a thorough due-diligence process by recognised international experts in IT governance, control, security and assurance.
- Criteria established by other bodies of experts—Similar to ISACA standards and criteria, these are relevant to the subject matter and have been developed and exposed to peer review and a thorough due-diligence process by experts in various fields.
- Criteria established by laws and regulations—While laws and regulations can provide the basis of criteria, care must be taken in their use. Frequently, wording is complex and carries a specific legal meaning. In many cases, it may be necessary to restate the requirements as assertions. Further, expressing an opinion on legislation is usually restricted to members of the legal profession.
- Criteria established by enterprises that do not follow due process—These include relevant criteria developed by other enterprises that did not follow due process and have not been subject to public consultation and debate.
- Criteria developed specifically for the IS audit or assurance engagement—While criteria developed specifically for the IS audit or assurance engagement may be appropriate, particular care must be taken to ensure that these criteria meet the suitability criteria, particularly completeness, measurability and objectivity. Criteria developed specifically for an IS audit or assurance engagement are in the form of assertions.
The selection criteria should be considered carefully. While adhering to local laws and regulations is important and must be considered a mandatory requirement, it is recognised that many IS audit and assurance engagements include areas, such as change management, IT general controls and access controls, not covered by law or regulations. In addition, some industries, such as the payment card industry, have established mandatory requirements that must be met. Where legislative requirements are principle-based, the professional should ensure that criteria selected meet the engagement objective.
As the engagement progresses, additional information may result in certain criteria not being necessary to achieve the objectives. In these circumstances, further work related to the criteria is not necessary.
||The standards and benchmarks used to measure and present the subject matter and against which an IS auditor evaluates the subject matter.|
Criteria should be:
In an attestation engagement, benchmarks against which management's written assertion on the subject matter can be evaluated. The practitioner forms a conclusion concerning subject matter by referring to suitable criteria.
- Objective—Free from bias
- Complete—Include all relevant factors to reach a conclusion
- Relevant—Relate to the subject matter
- Measurable—Provide for consistent measurement
Linkage to Guidelines
This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.