Download the PDF Version
The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to the audit community.
IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:
- IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
- Management and other interested parties of the profession’s expectations concerning the work of practitioners
- Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.
IS audit and assurance professionals should include a statement in their work, where appropriate, that the engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards.
The ITAF™ framework for the IS audit and assurance professional provides multiple levels of guidance:
- Standards, divided into three categories:
- General standards (1000 series)—Are the guiding principles under which the IS audit and assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. The standards statements (in bold) are mandatory.
- Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
- Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
- Guidelines, supporting the standards and also divided into three categories:
- General guidelines (2000 series)
- Performance guidelines (2200 series)
- Reporting guidelines (2400 series)
- Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white papers, IS audit/assurance programmes, the COBIT 5 family of products
An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or IS environment.
The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued internationally for general public comment. Comments may also be submitted to the attention of the director of professional standards development via email (email@example.com), fax (+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).
ISACA 2012-2013 Professional Standards and Career Management Committee
Steven E. Sizemore, CISA, CIA, CGAP, Chairperson
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA
Murari Kalyanaramani, CISA, CISM, CRISC, CISSP, CBCP
Alisdair McKenzie, CISA, CISSP, ITCP
Katsumi Sakagawa, CISA, CRISC, PMP
Ian Sanderson, CISA, CRISC, FCA
Timothy Smith, CISA, CISSP, CPA
Rodolfo Szuster, CISA, CA, CBA, CIA
Texas Health and Human Services Commission, USA
HP Enterprises Security Services, UK
Myers and Stauffer LC, USA
British American Tobacco IT Services, Malaysia
IS Assurance Services, New Zealand
JIEC Co. Ltd., Japan
LPL Financial, USA
Tarshop S.A., Argentina
IS audit and assurance professionals shall conduct the work in accordance with the approved IS audit plan to cover identified risk and within the agreed-on schedule.
IS audit and assurance professionals shall provide supervision to IS audit staff for whom they have supervisory responsibility, to accomplish audit objectives and meet applicable professional audit standards.
IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision.
IS audit and assurance professionals shall obtain sufficient and appropriate evidence to achieve the audit objectives. The audit findings and conclusions shall be supported by appropriate analysis and interpretation of this evidence.
IS audit and assurance professionals shall document the audit process, describing the audit work and the audit evidence that supports findings and conclusions.
IS audit and assurance professionals shall identify and conclude on findings.
IS audit and assurance professionals should:
- Assign team members to match their skills and experience with the engagement needs.
- Add external resources to the IS audit team, where appropriate, and ensure that their work is properly supervised.
- Manage the roles and responsibilities of the specific IS audit team members throughout the engagement, addressing at a minimum:
- Execution and review roles
- Responsibility for designing the methodology and approach
- Creating the audit or assurance programmes
- Conducting the work
- Dealing with issues, concerns and problems as they arise
- Documenting and clearing the findings
- Writing the report
- Have every task of the engagement executed by a team member(s) reviewed by another appropriate team member.
- Use the best audit evidence attainable. It should be consistent with the importance of the audit objective and the time and effort involved in obtaining the evidence.
- Obtain additional evidence if, in the professional's judgement, the evidence obtained does not meet the criteria of being sufficient and appropriate to form an opinion or support the findings and conclusions.
- Organise and document the work performed during the engagement—following predefined documented and approved procedures.
- Include in documentation:
- Audit objectives and scope of work, the audit programme, audit steps performed, evidence gathered, findings, conclusions, and recommendations
- Detail sufficient to enable a prudent, informed person to reperform the tasks performed during the engagement and reach the same conclusion
- Identification of who performed each task and their roles in preparing and reviewing the documentation
- The date the documentation was prepared and reviewed
- Obtain relevant written representations from the auditee that clearly detail critical areas of the engagement, issues that have arisen and their resolution, and assertions made by the auditee.
- Determine that auditee representations have been signed and dated by the auditee to indicate acknowledgement of their responsibilities with respect to the engagement.
- Document and retain in work papers any representations received during the course of conducting the engagement, either written or oral.
Linkage to Guidelines
||1005 Due Professional Care|
||2202 Risk Assessment in Planning|
This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.