ISACA Member and Certification Holder Compliance
The specialized nature of information technology (IT) audit and assurance and the skills necessary to perform such engagements require standards that apply specifically to IT audit and assurance. The development and dissemination of the IT audit and assurance standards are a cornerstone of the ISACA® professional contribution to the audit community.
IT audit and assurance standards define mandatory requirements for IT auditing. They report and inform:
- IT audit and assurance professionals of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics
- Management and other interested parties of the profession’s expectations concerning the work of practitioners
- Holders of the Certified Information Systems Auditor® (CISA®) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate committee and, ultimately, in disciplinary action.
ITAF™, 4th Edition (xhrj.yutb.net/itaf) provides a framework for multiple levels of guidance:
IT Audit and Assurance Standards
The standards are divided into three categories:
- General standards (1000 series)—Are the guiding principles under which the IT assurance profession operates. They apply to the conduct of all assignments and deal with the IT audit and assurance professional’s ethics, independence, objectivity and due care as well as knowledge, competency and skill.
- Performance standards (1200 series)—Deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, resource mobilization, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgment and due care.
- Reporting standards (1400 series)—Address the types of reports, means of communication and the information communicated.
Please note that the standards and guidelines are effective October 2020.
General
1001 Audit Charter
1002 Organizational Independence
1003 Auditor Objectivity
1004 Reasonable Expectation
1005 Due Professional Care
1006 Proficiency
1007 Assertions
1008 Criteria
Performance
1201 Risk Assessment in Planning
1202 Audit Scheduling
1203 Engagement Planning
1204 Performance and Supervision
1205 Evidence
1206 Using the Work of Other Experts
1207 Irregularities and Illegal Acts
Reporting
1401 Reporting
1402 Follow-up Activities
IT Audit and Assurance Guidelines
The guidelines are designed to directly support the standards and help practitioners achieve alignment with the standards. They follow the same categorization as the standards (also divided into three categories):
- General guidelines (2000 series)
- Performance guidelines (2200 series)
- Reporting guidelines (2400 series)
General
2001 Audit Charter
2002 Organizational Independence
2003 Auditor Objectivity
2004 Reasonable Expectation
2005 Due Professional Care
2006 Proficiency
2007 Assertions
2008 Criteria
Performance
2201 Risk Assessment in Planning
2202 Audit Scheduling
2203 Engagement Planning
2204 Performance and Supervision
2205 Evidence
2206 Using the Work of Other Experts
2207 Irregularities and Illegal Acts
Reporting
2401 Reporting
2402 Follow-up Activities
IT Audit and Assurance Tools and Techniques
These documents provide additional guidance for IT audit and assurance
professionals and consist, among other things, of white papers, IT
audit/assurance programs, reference books and the COBIT® 2019 family
of products.
An online glossary of terms, including terms used in ITAF, is provided at xhrj.yutb.net/glossary.
Prior to issuing any new standard or guideline (or modifying existing standards and guidelines), an exposure draft is issued internationally for general public comment.
Comments may also be submitted to ISACA via email (support@yutb.net); fax (+1.847.253.1755) or postal mail (ISACA Global, 1700 E. Golf Road, Suite 400, Schaumburg, IL 60173, USA).
Links to current and exposed ISACA Standards and Guidelines are posted at xhrj.yutb.net/resources/frameworks-standards-and-models.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of these products will assure a successful outcome. The guidance should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the control professionals should apply their own professional judgment to the specific control circumstances presented by the particular systems or IT environment.