Professional Documents
Culture Documents
General Standards
General standards are the guiding principles under which the IS audit and assurance professional operates. They apply to the conduct of all
assignments and deal with the IS audit and assurance professional’s ethics, independence, objectivity and due care, as well as knowledge,
competency and skill.
In conducting an IS audit or assurance assignment the IS audit and assurance professional will be required to assess number of key decisions
regarding the subject matter to be audited and the criteria against which the subject matter is to be assessed. In doing so, the IS audit and
assurance professional will need to consider the benchmarks against which the assignment is to be conducted (standards) and against which the
subject matter is to be assessed (criteria).
The standards are included here in their entirety. Underlined words are defined in the Terms section. For links to the individual standards,
visit www.isaca.org/standard.
12
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
Scope note: Examples may include financial, performance, compliance and system
security engagements
Audit charter A document approved by those charged with governance that defines the purpose,
authority and responsibility of the internal audit activity.
Operative Date This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.
13
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
Operative Date This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.
14
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
Operative Date This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.
15
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
Operative Date This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.
16
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
Note: Due professional care implies reasonable care and competence, not infallibility or
extraordinary performance.
Operative Date This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.
17
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
1006 Proficiency
Statements 1006.1 IS audit and assurance professionals, collectively with others assisting with the assignment,
shall possess adequate skills and proficiency in conducting IS audit and assurance
engagements and be professionally competent to perform the work required.
1006.2 IS audit and assurance professionals, collectively with others assisting with the assignment,
shall possess adequate knowledge of the subject matter.
1006.3 IS audit and assurance professionals shall maintain professional competence through
appropriate continuing professional education and training.
Operative Date This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.
18
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
1007 Assertions
Statements 1007.1 IS audit and assurance professionals shall review the assertions against which the subject
matter will be assessed to determine that such assertions are capable of being audited and
that the assertions are sufficient, valid and relevant.
Operative Date This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.
19
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
1008 Criteria
Statements 1008.1 IS audit and assurance professionals shall select criteria, against which the subject matter
will be assessed, that are objective, complete, relevant, measureable, understandable, widely
recognised, authoritative and understood by, or available to, all readers and users of
the report.
1008.2 IS audit and assurance professionals shall consider the source of the criteria and focus on
those issued by relevant authoritative bodies before accepting lesser-known criteria.
The suitability and appropriateness of subject matter assessment criteria should be assessed against the
following five suitability criteria:
• Objectivity—Criteria should be free from bias that may adversely impact the professional’s findings and
conclusions, and, accordingly, may mislead the user of the report.
• Completeness—Criteria should be sufficiently complete so that all criteria that could affect the
professional’s conclusions about the subject matter are identified and used in the conduct of the IS audit
or assurance engagement.
• Relevance—Criteria should be relevant to the subject matter and contribute to findings and conclusions that
meet the objectives of the IS audit or assurance engagement.
• Measurability—Criteria should permit consistent measurement of the subject matter and the development
of consistent conclusions when applied by different professionals in similar circumstances.
• Understandability—Criteria should be communicated clearly and not be subject to significantly different
interpretations by intended users.
The acceptability of criteria is affected by the availability of the criteria to users of the professional’s report, so
that users understand the basis of the assurance activity and the relevance of the findings and conclusions.
Sources may include those that are:
• Recognised—Criteria should be sufficiently well recognised so that their use is not questioned by
intended users.
• Authoritative—Criteria should be sought that reflect authoritative pronouncements within the area and are
appropriate for the subject matter. For example, authoritative pronouncements may come from professional
bodies, industry groups, government and regulators.
• Publicly available—Criteria should be available to the users of the professional’s report. Examples include
standards developed by professional accounting and audit bodies such as ISACA, International Federation of
Accountants (IFAC), and other recognised government or professional bodies.
• Available to all users—Where criteria are not publicly available, they should be communicated to all users
through ‘assertions’ that form part of the professional’s report. Assertions consist of statements about the
subject matter that meet the requirements of ‘suitable criteria’ so that they can be audited.
20
ITAF™: A Professional Practices Framework for IS Audit/ Assurance, 3rd Edition 1. IS Audit and Assurance Standards
The selection criteria should be considered carefully. While adhering to local laws and regulations is important
and must be considered a mandatory requirement, it is recognised that many IS audit and assurance
engagements include areas, such as change management, IT general controls and access controls, not covered
by law or regulations. In addition, some industries, such as the payment card industry, have established
mandatory requirements that must be met. Where legislative requirements are principle-based the professional
should ensure that criteria selected meet the engagement objective.
As the engagement progresses, additional information may result in certain criteria not being necessary to
achieve the objectives. In these circumstances, further work related to the criteria is not necessary.
Operative Date This ISACA standard is effective for all IS audit and assurance engagements beginning 1 November 2013.
21