ISACA IS Audit Standards

The members of ISACA are constantly striving to advance the standards of IS auditing. CISAs should check the ISACA website (www.isaca.org) for updates on a quarterly basis. ISACA added five new standards during 2006-2007 to clarify our minimum level of performance. The current body of ISACA Audit Standards is organized using a format numbered from 1 to 16:

S1 Audit Charter The audit charter authorizes the scope of the audit and grants you responsibility, authority, and accountability in the audit function.

S2 Independence Every auditor is expected to demonstrate professional and organizational independence.

S3 Professional Ethics and Standards of Conduct The auditor must act in a manner that denotes professionalism and respect.

S4 Professional Competence The auditor must have the necessary skills to perform the audit. Continuing education is required to improve and maintain skills.

S5 Planning Successful audits are the result of advance preparation. Proper planning is necessary to ensure that the audit will fulfill the intended objectives.

S6 Performance of Audit Work This standard provides guidance to ensure that the auditor has proper supervision, gains the correct evidence to form conclusions, and creates the required documentation of the audit.

S7 Audit Reporting The auditor report contains several required statements and legal disclosures. This standard provides guidance concerning the contents of the auditor's report.

S8 Follow-up Activities The follow-up activities include determining whether management has taken action on the auditor's recommendations in a timely manner.

S9 Irregularities and Illegal Acts This standard outlines how to handle the discovery of irregularities and illegal acts involving the auditee.

S10 IT Governance This standard covers the authority, direction, and control of the information technology function. Technology is now pervasive in all areas of business. Is the auditee properly managing IT to meet their needs?

S11 Use of Risk Analysis in Audit Planning This standard provides guidance for implementing a risk-based approach in audit planning. Risk planning is used to determine whether an audit is possible. Auditors always weigh our level of competency to conduct the audit. Audit plans should be structured for the maximum return on investment when designing specific audits, aka impact for the dollar spent.

S12 Audit Materiality Auditors must use evidence that portrays the most accurate story. The absence of controls or a potential weakness may cumulatively result in unacceptable risk to the organization. Ineffective controls, absence of controls, and control deficiencies should be disclosed in the audit report.

S13 Using the Work of Other People It's impossible for the auditor to perform all the work alone. The work of other experts may be included in the audit, provided the auditor is satisfied with their competencies, relevant experience, professional qualifications, independence, and quality control. A scope limitation may be required in the final audit opinion if the other experts do not provide appropriate and sufficient evidence. An expert working in the same area as the one being audited should not be relied on.

S14 Proper Audit Evidence Appropriate evidence includes the written procedures performed by the auditor, source documents, corroborating records, samples, and corresponding test results. Reliable evidence is based on its source, natural state, and authenticity. Audit evidence must be specifically identified, cataloged, and cross-referenced in the audit documentation, via auditor notes and working papers.

S15 Effective IT Controls Working IT controls represent an integral foundation in the organization's overall internal control environment. IS auditors should monitor and evaluate the effect or absence of IT controls. It's necessary to help management understand the IT controls' design, implementation, and methods of improvement. The level of effective controls provided by outsourcing, or their absence, may help or hurt the organization.

S16 Electronic Commerce Controls E-commerce allows the business to conduct electronic transactions with other businesses (business-to-business, or B2B) and directly to consumers (business-to-consumer, or B2C) over the public Internet. E-commerce requires the auditor to implement risk-based audit plans with data-gathering techniques for continuous assurances regarding the security and integrity of the environment. ISACA standard S16 excludes non-Internet-based private networks such as Electronic Data Interchange (EDI) and Society for Worldwide Interbank Financial Telecommunication (SWIFT).

During the audit process, you will find clients are more receptive when your audit goals are linked to specific citations in the audit standards. You should aim to fill a known and defined point of compliance rather than provide a vague statement relating to something you may have read in a textbook. Don't make the mistake of trusting your job to misinformation, rumors, or free advice on the Internet.

Most of the IT controls originated from demands imposed by a government agency. Security started in the military. Budgets and financial tracking were introduced by the banking industry. In fact, the first internal control in business was the budget. Since 1998, additional internal controls have been added each year. Figure 1 demonstrates the relationship of these various sources.

 

Figure 1: Where I.T. control standards originate