IS Audit and Assurance Standard 1207 Irregularity and Illegal Acts 

 

  Download the PDF Version

The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to the audit community.

IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:

  • IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
  • Management and other interested parties of the profession’s expectations concerning the work of practitioners
  • Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.

IS audit and assurance professionals should include a statement in their work, where appropriate, that the engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards.

The ITAF™ framework for the IS audit and assurance professional provides multiple levels of guidance:

  • Standards, divided into three categories:
    • General standards (1000 series)—Are the guiding principles under which the IS audit and assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. The standards statements (in bold) are mandatory.
    • Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
    • Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
  • Guidelines, supporting the standards and also divided into three categories:
    • General guidelines (2000 series)
    • Performance guidelines (2200 series)
    • Reporting guidelines (2400 series)
  • Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white papers, IS audit/assurance programmes, the COBIT 5 family of products

An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.

Disclaimer:  ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or IS environment.

The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued internationally for general public comment. Comments may also be submitted to the attention of the director of professional standards development via email ([email protected]), fax (+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).


ISACA 2012-2013 Professional Standards and Career Management Committee

Steven E. Sizemore, CISA, CIA, CGAP, Chairperson
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA
Murari Kalyanaramani, CISA, CISM, CRISC, CISSP, CBCP
Alisdair McKenzie, CISA, CISSP, ITCP
Katsumi Sakagawa, CISA, CRISC, PMP
Ian Sanderson, CISA, CRISC, FCA
Timothy Smith, CISA, CISSP, CPA
Rodolfo Szuster, CISA, CA, CBA, CIA
Texas Health and Human Services Commission, USA
HP Enterprises Security Services, UK
Myers and Stauffer LC, USA
British American Tobacco IT Services, Malaysia
IS Assurance Services, New Zealand
JIEC Co. Ltd., Japan
NATO, Belgium
LPL Financial, USA
Tarshop S.A., Argentina


Statements

1207.1
IS audit and assurance professionals shall consider the risk of irregularities and illegal acts during the engagement.

1207.2
IS audit and assurance professionals shall maintain an attitude of professional scepticism during the engagement.

1207.3
IS audit and assurance professionals shall document and communicate any material irregularities or illegal acts to the appropriate party in a timely manner.


Key Aspects

IS audit and assurance professionals should:

  • Reduce audit risk to an acceptable level in planning and performing the engagement by :
    • Being aware that material errors, control deficiencies or misstatements due to irregularities and illegal acts could exist, irrespective of evaluation of the risk of irregularities and illegal acts
    • Obtaining an understanding of the enterprise and its environment, including internal controls intended to prevent or detect irregularities and illegal acts that are relevant to the engagement subject matter, scope and objectives
    • Obtaining sufficient and appropriate evidence to determine whether management or others within the enterprise have knowledge of any actual, suspected or alleged irregularities and illegal acts
  • Consider unusual or unexpected relationships that may indicate a risk of material errors, control deficiencies or misstatements due to irregularities and illegal acts when performing audit procedures,
  • Design and perform procedures to test the appropriateness of internal controls and the risk that management overrides controls intended to prevent or detect irregularities and illegal acts,
  • Assess whether identified errors, control deficiencies or misstatements may be indicative of an Irregularity or illegal act. If there is such an indication, consider the implications in relation to other aspects of the engagement and, in particular, the representations of management.
  • Obtain written representations from management at least annually, or more often depending on the engagement, to:
    • Acknowledge management’s responsibility for the design and implementation of internal controls to prevent and detect irregularities and illegal acts.
    • Disclose the pertinent results of any risk assessment that indicates that errors, control deficiencies or misstatements may exist as a result of an irregularity or illegal act.
    • Disclose management’s knowledge of irregularities and illegal acts affecting the enterprise in relation to management and employees who have significant roles in internal control.
    • Disclose management’s knowledge of any alleged or suspected irregularities and illegal acts affecting the enterprise as communicated by employees, former employees, regulators and others.
  • Communicate in a timely manner to:
    • The appropriate level of management any information identified or obtained that a material irregularity or illegal act may exist
    • Those charged with governance, any material irregularity and illegal acts involving management or employees who have significant roles in internal control
  • Report to those charged with governance any material weakness in the design and implementation of internal controls intended to prevent and detect any irregularities and illegal acts that are identified during the engagement, even if they are outside of the scope.
  • Consider the legal and professional reporting requirements applicable in the circumstances.
  • Consider withdrawing from the engagement if material errors, control deficiencies, misstatements or illegal acts affect the continued performance of the engagement.
  • Document all communications, planning, results, evaluations and conclusions relating to material irregularities and illegal acts that have been reported to management, those charged with governance, regulators and others


Terms

Term Definition
Irregularity Violation of an established management policy or regulatory requirement. It may consist of deliberate misstatements or omission of information concerning the area under audit or the enterprise as a whole gross negligence or unintentional illegal acts.
Material misstatement An accidental or intentional untrue statement that affects the results of an audit to a measurable extent
Professional scepticism An attitude that includes a questioning mind and a critical assessment of audit evidence. Source: American Institute of Certified Public Accountants (AICPA) AU 230.07


Linkage to Guidelines

Type Title
Standard 1008 Criteria
Standard 1202 Risk Assessment in Planning
Standard 1205 Evidence
Guideline 2206 Using the Work of Other Experts
Guideline 2207 Irregularity and Illegal Acts


Operative Date

This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.