Download the PDF Version
The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to the audit community.
IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:
- IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
- Management and other interested parties of the profession’s expectations concerning the work of practitioners
- Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.
IS audit and assurance professionals should include a statement in their work, where appropriate, that the engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards.
The ITAF™ framework for the IS audit and assurance professional provides multiple levels of guidance:
- Standards, divided into three categories:
- General standards (1000 series)—Are the guiding principles under which the IS audit and assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. The standards statements (in bold) are mandatory.
- Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
- Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
- Guidelines, supporting the standards and also divided into three categories:
- General guidelines (2000 series)
- Performance guidelines (2200 series)
- Reporting guidelines (2400 series)
- Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white papers, IS audit/assurance programmes, the COBIT 5 family of products
An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or IS environment.
The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued internationally for general public comment. Comments may also be submitted to the attention of the director of professional standards development via email (email@example.com), fax (+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).
ISACA 2012-2013 Professional Standards and Career Management Committee
Steven E. Sizemore, CISA, CIA, CGAP, Chairperson
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA
Murari Kalyanaramani, CISA, CISM, CRISC, CISSP, CBCP
Alisdair McKenzie, CISA, CISSP, ITCP
Katsumi Sakagawa, CISA, CRISC, PMP
Ian Sanderson, CISA, CRISC, FCA
Timothy Smith, CISA, CISSP, CPA
Rodolfo Szuster, CISA, CA, CBA, CIA
Texas Health and Human Services Commission, USA
HP Enterprises Security Services, UK
Myers and Stauffer LC, USA
British American Tobacco IT Services, Malaysia
IS Assurance Services, New Zealand
JIEC Co. Ltd., Japan
LPL Financial, USA
Tarshop S.A., Argentina
IS audit and assurance professionals shall consider potential weaknesses or absences of controls while planning an engagement and whether such weaknesses or absences of controls could result in a significant deficiency or a material weakness.
IS audit and assurance professionals shall consider materiality and its relationship to audit risk while determining the nature, timing and extent of audit procedures.
IS audit and assurance professionals shall consider the cumulative effect of minor control deficiencies or weaknesses and whether the absence of controls translates into a significant deficiency or a material weakness.
IS audit and assurance professionals shall disclose the following in the report:
- Absence of controls or ineffective controls
- Significance of the control deficiencies
- Probability of these weaknesses resulting in a significant deficiency or material weakness
In performing an engagement, IS audit and assurance professionals should:
- Apply the concept of materiality in:
Any deficiency, weakness or lack of appropriate policies, procedures and controls should be judged in the particular circumstances of the engagement.
- Planning and performing the engagement
- Evaluating the effect of specific items, processes, controls or errors
- Consider definitions of materiality where provided by legislative or regulatory authorities.
- Note that the assessment of materiality and Audit risk may vary from time to time, depending upon the circumstances and the changing environment.
- Attempt to reduce audit risk to an acceptable level and meet the objectives while planning and performing the engagement.
- Consider Materiality when determining the nature, timing and extent of audit procedures.
- Reduce audit risk for higher materiality subject areas by either extending the test of controls (reduce control risk) and/or extending the substantive testing procedures (reduce detection risk).
- Evaluate the effect of compensating controls and whether such compensating controls are effective in determining whether a control deficiency or combination of control deficiencies is a Material weakness.
- Consider the cumulative effect of multiple errors or control failures when determining materiality.
- Consider not only the size but also the nature of control deficiencies and the particular circumstances of their occurrence when evaluating their overall effect on the audit opinion or conclusion.
||The risk of reaching an incorrect conclusion based upon audit findings. The three components of audit risk are:
- Control risk
- Detection risk
- Inherent risk
||A deficiency or a combination of deficiencies in internal control, such that there is a reasonable possibility that a material misstatement will not be prevented or detected on a timely basis.|
Weakness in control is considered material if the absence of the control results in failure to provide reasonable assurance that the control objective will be met. A weakness classified as material implies that:
There is an inverse relationship between materiality and the level of audit risk acceptable to the IS audit or assurance professional, i.e., the higher the materiality level, the lower the acceptability of the audit risk, and vice versa.
- Controls are not in place and/or controls are not in use and/or controls are inadequate
- Escalation is warranted
||An audit concept regarding the importance of an item of information with regard to its impact or effect on the functioning of the entity being audited. An expression of the relative significance or importance of a particular matter in the context of the enterprise as a whole. |
Linkage to Guidelines
||1201 Engagement Planning|
||1202 Risk Assessment in Planning|
||1207 Irregularity and Illegal Acts|
||2202 Risk Assessment in Planning|
This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.