IS Audit and Assurance Standard 1401 Reporting 


  Download the PDF Version

The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IS audit and assurance. The development and dissemination of the IS audit and assurance standards are a cornerstone of the ISACA professional contribution to the audit community.

IS audit and assurance standards define mandatory requirements for IS auditing and reporting and inform:

  • IS audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
  • Management and other interested parties of the profession’s expectations concerning the work of practitioners
  • Holders of the Certified Information Systems Auditor (CISA) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.

IS audit and assurance professionals should include a statement in their work, where appropriate, that the engagement has been conducted in accordance with ISACA IS audit and assurance standards or other applicable professional standards.

The ITAF™ framework for the IS audit and assurance professional provides multiple levels of guidance:

  • Standards, divided into three categories:
    • General standards (1000 series)—Are the guiding principles under which the IS audit and assurance profession operates. They apply to the conduct of all assignments, and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill. The standards statements (in bold) are mandatory.
    • Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgement and due care
    • Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated
  • Guidelines, supporting the standards and also divided into three categories:
    • General guidelines (2000 series)
    • Performance guidelines (2200 series)
    • Reporting guidelines (2400 series)
  • Tools and techniques, providing additional guidance for IS audit and assurance professionals, e.g., white papers, IS audit/assurance programmes, the COBIT 5 family of products

An online glossary of terms used in ITAF is provided at

Disclaimer:  ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, controls professionals should apply their own professional judgement to the specific control circumstances presented by the particular systems or IS environment.

The ISACA Professional Standards and Career Management Committee (PSCMC) is committed to wide consultation in the preparation of standards and guidance. Prior to issuing any document, an exposure draft is issued internationally for general public comment. Comments may also be submitted to the attention of the director of professional standards development via email (, fax (+1.847. 253.1443) or postal mail (ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105, USA).

ISACA 2012-2013 Professional Standards and Career Management Committee

Steven E. Sizemore, CISA, CIA, CGAP, Chairperson
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA
Murari Kalyanaramani, CISA, CISM, CRISC, CISSP, CBCP
Alisdair McKenzie, CISA, CISSP, ITCP
Katsumi Sakagawa, CISA, CRISC, PMP
Ian Sanderson, CISA, CRISC, FCA
Timothy Smith, CISA, CISSP, CPA
Rodolfo Szuster, CISA, CA, CBA, CIA
Texas Health and Human Services Commission, USA
HP Enterprises Security Services, UK
Myers and Stauffer LC, USA
British American Tobacco IT Services, Malaysia
IS Assurance Services, New Zealand
JIEC Co. Ltd., Japan
NATO, Belgium
LPL Financial, USA
Tarshop S.A., Argentina


IS audit and assurance professionals shall provide a report to communicate the results upon completion of the engagement, including:

  • Identification of the enterprise, the intended recipients, and any restrictions on content and circulation
  • The scope, engagement objectives, period of coverage, and the nature, timing and extent of the work performed
  • The findings, conclusions and recommendations
  • Any qualifications or limitations in scope that the IS audit and assurance professional has with respect to the engagement
  • Signature, date and distribution according to the terms of the audit charter or engagement letter

IS audit and assurance professionals shall ensure that findings in the audit report are supported by sufficient and appropriate evidence.

Key Aspects

IS audit and assurance professionals should:

  • Obtain relevant written representations from the auditee that clearly detail critical areas of the engagement, issues that have arisen and their resolution, and assertions made by the auditee
  • Determine that auditee representations have been signed and dated by the auditee to indicate acknowledgement of auditee responsibilities with respect to the engagement
  • Document and retain in the work paper any representations, either written or oral, received during the course of conducting the engagement. For attestation engagements, representations from the auditee should be obtained in writing to reduce possible misunderstanding.
  • Customise the form and content of the report to support the type of the engagement performed, such as:
    • Audit (direct or attest)
    • Review (direct or attest)
    • Agreed-upon procedures
  • Describe material or significant weaknesses and their effect on the achievement of the engagement objectives in the report.
  • Discuss the draft report contents with management in the subject area prior to finalisation and release, and include management’s response to findings, conclusions and recommendations in the final report, where applicable.
  • Communicate significant deficiencies and material weaknesses in the control environment to those charged with governance and, where applicable, to the responsible authority, and disclose in the report that these have been communicated.
  • Reference any separate reports in the final report.
  • Communicate to auditee management internal control deficiencies that are less than significant but more than inconsequential. In such cases, those charged with governance or the responsible authority should be notified that such internal control deficiencies have been communicated to auditee management.
  • Identify standards applied in conducting the engagement, and communicate any non-compliance with these standards, as applicable.


Term Definition
Relevant information Relating to controls, tells the evaluator something meaningful about the operation of the underlying controls or control component. Information that directly confirms the operation of controls is most relevant. Information that relates indirectly to the operation of controls can also be relevant, but is less relevant than direct information. Refer to COBIT 5 information quality goals
Reliable information Information that is accurate, verifiable and from an objective source. Refer to COBIT 5 information quality goals
Sufficient information Information is sufficient when evaluators have gathered enough of it to form a reasonable conclusion. For information to be sufficient, however, it must first be suitable. Refer to COBIT 5 information quality goals
Suitable information Relevant (i.e., fit for its intended purpose), reliable (i.e., accurate, verifiable and from an objective source) and timely (i.e., produced and used in an appropriate time frame)information. Refer to COBIT 5 information quality goals
Timely information Produced and used in a time frame that makes it possible to prevent or detect control deficiencies before they become material to an enterprise. Refer to COBIT 5 information quality goals

Linkage to Guidelines

Type Title
Guideline 2401 Reporting

Operative Date

This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.