Professional Documents
Culture Documents
1
2.IS AUDIT AND ASSURANCE STANDARDS
Standards for IS Audit and Assurance effective 1 November 2013 are contained in ITAF,
3rd Edition
6 Support the professional education of stakeholders in enhancing their understanding of the governance
and management of enterprise information systems and technology, including: audit, control, security
and risk management.
2.IS AUDIT AND ASSURANCE STANDARDS
Standards define the mandatory requirements for IS audit and assurance and reporting
They inform:
a. IS Auditors of the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics for IS auditors
b. Holders of the Certified Information Systems Auditor (CISA) designation of requirements.
Failure to
c. comply with these standards may result in an investigation into the CISA holder’s conduct by
the
ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary
action.
Divided into 3 categories:
Management
a. General and other
standards interested
(1000 parties of the
series)—Are the profession’s
guiding expectations
principles underconcerning
which theIS
the work of
assurance
practitioners
profession operates. They apply to the conduct of all assignments, and deal with the IS audit and
assurance professional’s ethics, independence, objectivity and due care as well as knowledge,
b. competency and skill.
Performance standards (1200 series)—Deal with the conduct of the assignment, such as
planning
c. and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment
management, audit and assurance evidence, and the exercising of professional judgement and
due
care
Reporting standards (1400 series)—Address the types of reports, means of communication and the
information communicated
LIST OF STANDARDS
General
1001 Audit Charter
1002 Organisational Independence
1003 Professional Independence
1004 Reasonable Expectation
1005 Due Professional Care
1006 Proficiency
1007 Assertions
1008 Criteria
Performance
1201 Engagement Planning
1202 Risk Assessment in Planning
1203 Performance and Supervision
1204 Materiality
1205 Evidence
1206 Using the Work of Other Experts
1207 Irregularity and Illegal Acts
Reporting
1401 Reporting
1402 Follow-up Activities
SNAPSHOTS OF IS AUDIT AND ASSURANCE STANDARDS
IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw
reasonable conclusions in which to base the engagement results
IS audit and assurance professionals shall monitor relevant information to conclude whether
management has planned/ taken appropriate timely action to address reported findings and
recommendations
- IS audit and assurance professionals shall plan each IS audit and assurance engagement to
address:
- Objective(s), scope, timeline and deliverables and resource requirements; Compliance with applicable
laws and professional auditing standards; Use of a risk-based approach, where appropriate; Engagement-
specific issues; Documentation and reporting requirements; Timing and extent of audit procedures to
complete the engagement
3.IS AUDIT AND ASSURANCE GUIDELINES
Designed to directly support the standards and help practitioners achieve
alignment with the standards.
They follow the same categorisation as the standards (also divided into 3
categories):
General guidelines (2000 series)
Performance guidelines (2200 series)
Reporting guidelines (2400 series)
LIST OF GUIDELINES
General
2001 Audit Charter
2002 Organisational Independence
2003 Professional Independence
2004 Reasonable Expectation
2005 Due Professional Care
2006 Proficiency
2007 Assertions
2008 Criteria
Performance
2201 Engagement Planning
2202 Risk Assessment in Planning
2203 Performance and Supervision
2204 Materiality
2205 Evidence
2206 Using the Work of other Experts
2207 Irregularity and Illegal Acts
2208 Sampling
Reporting
2401 Reporting
2402 Follow-up Activities
4.AUDIT TOOLS & TECHNIQUES
Provide additional
guidance for IS audit and
assurance professionals
and consist of:
• White papers,
• IS audit/ assurance
programmes,
• COBIT 5 family of
products.
IT RISK ANALYSIS AND RISK
MANAGEMENT
10
DEFINITIONS OF RISK
Flnanclol loss Total financial Kshs 500+ Kshs .50-500 Kshs 5-50 Kshs. 0_5-5 Kshs 0-0_5
(loss of sales. unforeseen impact: n~illiiot, million ITilllion 111'lillion Million
~ts. l,egal liabilities, fraud}::.
Oeg,·aded performance Key lta rgets 10'Yo+ 5°/oto 10% 1°/oto 5% Less than 1 °A, No impact
(f3ilrure to achieve targets. loss of under-achieved
productivity) by:
Nul1!'lber staff- of 10,000+ 1,000 to 10,000 500 to 1.000 100 to 500 Oto 100
hours w.asted· staff..jhours staff-hours staff-hours staff-hours staff-hour.s
Loss of management control Key reco.rds not up- 1 month+ 1· to 4 week Fev.• days Fe•.v hours Little delay, no
(over key financ,a. health safety or to-da.te or accurate: delay, all delay, many delay. son-.e delay. .a fe•.v wrong entries
risks.) entries wrong ei,tries, wrong entries wrong entries
unreliable
Da,naged reputation (negative Reputation eroded 10°k+ of.sales 5°/oto 1 Oo/oof 1°k to 5o/.. of Less than 1°k No in11paot
publicity. regulatory d s.approval. 'W'i~h customers sales .sa~es of sales
litigation) reprreseinting:
-f/
RISK ANALYSIS
-HEAT MAP ILLUSTRATION
IMPACT
Significant/Serious Harm
Moderate/Minor Harm
LIKELIHOOD
High
Medium
Low
PURPOSE OF RISK ANALYSIS