Introduction Scope and Authority of IS Development of Standards,
Auditing Standards Guidelines and Procedures The specialised nature of information systems (IS) auditing, and the skills The framework for the ISACA’s IS The ISACA Standards Board is necessary to perform such audits, Auditing Standards provides for committed to wide consultation in the require standards that apply multiple levels of standards, as preparation of IS Auditing Standards, specifically to IS auditing. One of the follows: Guidelines and Procedures. Prior to Information Systems Audit and Control issuing any documents, the Standards Association, Inc.’s (ISACA’s) goals is Standards define mandatory Board issues exposure drafts therefore to advance globally internationally for general public requirements for IS auditing and applicable standards to meet this comment. The Standards Board also reporting. need. The development and seeks out those with a special dissemination of IS Auditing expertise or interest in the topic under Standards are a cornerstone of the Guidelines provide guidance in consideration for consultation where ISACA’s professional contribution to applying IS auditing standards. necessary. the audit community. The IS Auditor should consider them in determining how to The Standards Board has an on-going Objectives achieve implementation of the development programme, and would standards, use professional welcome the input of members of the The objectives of the ISACA’s IS judgment in their application and ISACA and holders of the CISA Auditing Standards are to inform be prepared to justify any designation to identify emerging departure. issues requiring new standards IS Auditors of the minimum level products. Any suggestions should be of acceptable performance Procedures provide examples e-mailed (research@isaca.org), faxed required to meet the professional of procedures an IS Auditor might (+1.847. 253 .1443) or mailed responsibilities set out in the follow in an audit engagement. (address at the end of Guideline) to ISACA Code of Professional The procedure documents provide ISACA’s International Office for the Ethics for IS Auditors information on how to meet the attention of the Director of Research, Management and other interested standards when performing IS Standards and Academic Relations. parties of the profession’s auditing work, but do not set expectations concerning the work requirements. Withdrawal of Previously of practitioners Issued Documents The ISACA Code of Professional The objective of IS Auditing Ethics requires members of the This Guideline replaces the previously Guidelines is to provide further ISACA and holders of the Certified issued Statement on Information information on how to comply with the Information Systems Auditor (CISA) Systems Auditing Standard (SISAS) IS Auditing Standards. designation to comply with IS Auditing Number 4 on “Due Professional Care”. Standards as adopted by the ISACA. SISAS 4 will be withdrawn on 1 Failure to comply with these standards September 1999. may result in an investigation into the member's or CISA holder's conduct by This material was issued on 1 May the ISACA Board or appropriate 1999. ISACA committee, and ultimately in disciplinary action.
Information Systems Audit and Control Association
1998-1999 STANDARDS BOARD Chair, Lynn Christine Lawton, CISA, FCA, FIIA, PIIA KPMG, United Kingdom John W. Beveridge, CISA, CFE, CGFM Commonwealth of Massachusetts, USA Marcelo Abdo Centeio Companhia Siderurgica Nacional, Brazil Claudio Cilli, CISA Ernst & Young, Italy Svein Erik Dovran, CISA The Banking Insurance and Securities Commission of Norway Stephen W. Head, CISA, CPA, CPCU, CMA, CFE, CISSP, CBCP Royal & SunAlliance, USA Fred Lilly, CISA, CPA Fred L. Lilly, CPA, USA Ai Lin Ong, CISA, ACA, PA PricewaterhouseCoopers, Malaysia David W. Powell, CISA, FCA, CIA Deloitte Touche Tohmatsu, Australia 1. BACKGROUND 2.1.3 Due professional care should Copyright 1999 Information Systems Audit and Control Association extend to every aspect of the audit, 3701 Algonquin Road, Suite 1010 1.1 Linkage to Standards including the evaluation of audit risk, the Rolling Meadows, IL 60008 USA 1.1.1 Standard S3 Professional formulation of audit objectives, the Telephone: +1.847.253.1545 Ethics and Standards states “The IS establishment of the audit scope, the Fax: +1.847.253.1443 auditor should adhere to the Code of selection of audit tests, and the Email: research@isaca.org evaluation of test results. In doing this, Web Site: http://www.isaca.org Professional Ethics.” the IS Auditor should determine or 1.1.2 Standard S3 Professional evaluate: Ethics and Standards states “The IS auditor should exercise due professional ■ The type and level of audit care, including observance of applicable resources required to meet the audit professional auditing standards.” objectives ■ The significance of identified risks 1.2 Need for Guideline and the potential effect of such risks on the audit 1.2.1 The purpose of this Guideline ■ The audit evidence gathered is to clarify the term “due professional ■ The competence, integrity, and care” as it applies to the performance of conclusions of others upon whose an audit in compliance with standard S3 work the IS Auditor places reliance of the IS Auditing Standards. 2.1.4 The intended recipients of the 1.2.2 The guideline provides audit reports have an appropriate guidance in applying IS auditing expectation that the IS Auditor has standards. The IS auditor should exercised due professional care consider it in determining how to achieve throughout the course of the audit. The implementation of the above standards, IS Auditor should not accept an use professional judgment in its assignment unless adequate skills, application and be prepared to justify any knowledge, and other resources are departure. available to complete the work in a manner expected of a professional. 2. PERFORMANCE OF 2.1.5 The IS Auditor should conduct AUDIT WORK the audit with diligence while adhering to professional standards. The IS Auditor 2.1 Due Care should disclose the circumstances of any 2.1.1 The standard of “due care” is non-compliance with professional that level of diligence which a prudent standards in a manner consistent with and competent person would exercise the communication of the audit results. under a given set of circumstances. “Due professional care” applies to an 3. EFFECTIVE DATE individual who professes to exercise a special skill such as information systems auditing. Due professional care requires 3.1 This Guideline is effective for the individual to exercise that skill to a all information systems audits beginning level commonly possessed by on or after 1 September 1999. practitioners of that speciality. 2.1.2 Due professional care applies APPENDIX – GLOSSARY to the exercise of professional judgment in the conduct of work performed. Due Due Care – diligence which a person professional care implies that the would exercise under a given set of professional approaches matters circumstances. requiring professional judgment with Due Professional Care – diligence proper diligence. Despite the exercise of which a person, who possesses a special due professional care and professional skill, would exercise under a given set of judgment, situations may nonetheless circumstances. arise where an incorrect conclusion may be drawn from a diligent review of the available facts and circumstances. Therefore, the subsequent discovery of incorrect conclusions does not, in and of itself, indicate inadequate professional judgment or lack of diligence on the part of the IS Auditor.
Page 2 of 2 Due Professional Care Guideline Version I-1.0