1.

ISACA CODE OF PROFESSIONAL

ETHICS
2. IS AUDITING STANDARDS
3. IS AUDITING GUIDELINES
4. TOOLS AND TECHNIQUES

1
 2.IS AUDIT AND ASSURANCE STANDARDS
Standards for IS Audit and Assurance effective 1 November 2013 are contained in ITAF,
3rd Edition

Comparison with IIA

The International Professional Practices Framework
(IPPF) is the conceptual framework that organizes
authoritative guidance promulgated by The Institute of
Internal Auditors. The IIA provides internal audit
professionals worldwide with authoritative guidance
organized in the IPPF as mandatory guidance and
strongly recommended guidance.

Mandatory Guidance Strongly Recommended Guidance

The three mandatory elements of The three strongly
the recommended elements of the IPPF
•IPPF are:
Definition of Internal Auditing are:
• Code of Ethics • Position Papers
• International Standards for the • Practice
Professional Practice of • Advisories
Internal Auditing (Standards) Practice Guides
 1.ISACA CODE OF PROFESSIONAL ETHICS
Sets forth to guide the profession and personal conduct of members of the
association and/or its certification holders
ISACA® sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association
and/or its certification holders.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or certification holder's
conduct and, ultimately, in disciplinary measures.
Members and ISACA® certification holders shall:
1 Support the implementation of, and encourage compliance with, appropriate standards and procedures
for the effective governance and management of enterprise information systems and technology,
including: audit, control, security and risk management.
2 Perform their duties with objectivity, due diligence and professional care, in accordance with
professional standards.
3 Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct
and character, and not discrediting the profession or the Association.
4 Maintain the privacy and confidentiality of information obtained in the course of their activities unless
disclosure is required by legal authority. Such information shall not be used for personal benefit or
released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities they can
reasonably expect to complete with the necessary skills, knowledge and competence.
5 Inform appropriate parties of the results of work performed; revealing all significant facts known to them.

6 Support the professional education of stakeholders in enhancing their understanding of the governance
and management of enterprise information systems and technology, including: audit, control, security
and risk management.
 2.IS AUDIT AND ASSURANCE STANDARDS
Standards define the mandatory requirements for IS audit and assurance and reporting

They inform:
a. IS Auditors of the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics for IS auditors
b. Holders of the Certified Information Systems Auditor (CISA) designation of requirements.
Failure to
c. comply with these standards may result in an investigation into the CISA holder’s conduct by
the
ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary
action.
Divided into 3 categories:
Management
a. General and other
standards interested
(1000 parties of the
series)—Are the profession’s
guiding expectations
principles underconcerning
which theIS
the work of
assurance
practitioners
profession operates. They apply to the conduct of all assignments, and deal with the IS audit and
assurance professional’s ethics, independence, objectivity and due care as well as knowledge,
b. competency and skill.
Performance standards (1200 series)—Deal with the conduct of the assignment, such as
planning
c. and supervision, scoping, risk and materiality, resource mobilisation, supervision and assignment
management, audit and assurance evidence, and the exercising of professional judgement and
due
care
Reporting standards (1400 series)—Address the types of reports, means of communication and the
information communicated
LIST OF STANDARDS
General
1001 Audit Charter
1002 Organisational Independence
1003 Professional Independence
1004 Reasonable Expectation
1005 Due Professional Care
1006 Proficiency
1007 Assertions
1008 Criteria

Performance
1201 Engagement Planning
1202 Risk Assessment in Planning
1203 Performance and Supervision
1204 Materiality
1205 Evidence
1206 Using the Work of Other Experts
1207 Irregularity and Illegal Acts

Reporting
1401 Reporting
1402 Follow-up Activities
SNAPSHOTS OF IS AUDIT AND ASSURANCE STANDARDS

- Purpose, responsibility, authority & accountability of the

information systems audit function or information systems audit
assignments should be appropriately documented in an audit
charter
or engagement letter.
- The audit charter or engagement letter should be agreed and
approved at an appropriate level within the organization

IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw
reasonable conclusions in which to base the engagement results

IS audit and assurance professionals shall monitor relevant information to conclude whether
management has planned/ taken appropriate timely action to address reported findings and
recommendations

- IS audit and assurance professionals shall plan each IS audit and assurance engagement to
address:
- Objective(s), scope, timeline and deliverables and resource requirements; Compliance with applicable
laws and professional auditing standards; Use of a risk-based approach, where appropriate; Engagement-
specific issues; Documentation and reporting requirements; Timing and extent of audit procedures to
complete the engagement
 3.IS AUDIT AND ASSURANCE GUIDELINES
Designed to directly support the standards and help practitioners achieve
alignment with the standards.

They follow the same categorisation as the standards (also divided into 3
categories):
General guidelines (2000 series)
Performance guidelines (2200 series)
Reporting guidelines (2400 series)
LIST OF GUIDELINES
General
2001 Audit Charter
2002 Organisational Independence
2003 Professional Independence
2004 Reasonable Expectation
2005 Due Professional Care
2006 Proficiency
2007 Assertions
2008 Criteria

Performance
2201 Engagement Planning
2202 Risk Assessment in Planning
2203 Performance and Supervision
2204 Materiality
2205 Evidence
2206 Using the Work of other Experts
2207 Irregularity and Illegal Acts
2208 Sampling

Reporting
2401 Reporting
2402 Follow-up Activities
4.AUDIT TOOLS & TECHNIQUES
Provide additional
guidance for IS audit and
assurance professionals
and consist of:

• White papers,

• IS audit/ assurance
programmes,

• Reference books and;

• COBIT 5 family of
products.
IT RISK ANALYSIS AND RISK
MANAGEMENT

10
DEFINITIONS OF RISK

1. Information security - the potential that

a given threat will exploit
vulnerabilities of an information asset
or a group of assets and thereby cause
harm to the orgarnisation

2. Risk is the combination of the

probability (likelihood) of an event and
its consequence (impact) (ISO/IEC 73)
3. Risk can also be defined as “The
potential that a given threat will exploit
vulnerabilities of an asset or group of
assets and thereby cause harm to the
organization (ISO/IEC PDTR 13335-1)
4. Generally speaking risk is the product
of the likelihood of an event occurring
and the impact that event would have
on an information systems’ asset
RISK = PROBABILITY * IMPACT
IT RISK UNIVERSE
(P2s13)
RISK ANALYSIS - STANDARDS
IS Audit and Assurance Standard 1202 - Risk Assessment in Planning

 1202.1 - The IS audit and assurance function shall use an

appropriate risk assessment approach and supporting
methodology to develop the overall IS audit plan and determine
priorities for the effective allocation of IS audit resources (Full
annual audit plan)
 1202.2 - IS audit and assurance professionals shall identify and
assess risk relevant to the area under review, when planning
individual engagements(specific audit)
 1202.3- IS audit and assurance professionals shall consider subject
matter risk, audit risk and related exposure to the enterprise.
RISK ANALYSIS - GUIDELINES
 IS Audit and Assurance Guideline 2202 - Risk Assessment in
Planning

 The guideline provides guidance in applying a risk assessment

approach to develop an:
 IS audit plan that covers all annual audit engagements

 Audit engagement project plan that focuses on one specific

audit engagement
RISK ANALYSIS
In analyzing the business risks arising from the
use of IT, it is important for the IS auditor to
have a clear understanding of: Identify
business
objectives (BO)
1. The purpose and nature of business, the
environment in which the business Perform Risk
Treatment (RT)
operates and related business risks Treat Significant Identify
risks not information
Mitigated by assets
supporting the
2. The dependency on technology to process existing controls
BOs
and deliver business information

3. The business risk of using IT and how it

impacts the achievement of the business
goals and objectives Perform Risk Mitigation
(RM) (Map risks with Perform Risk
controls in place) Assessment (RA)
4. A good overview of the business process Threat-
>Probability-
and the impact of IT and related risks on >Impact
the business process objectives
HARM REFERENCE TABLE
Note: This varies from one orgarnisation to the other
LEVEL OF HARM
5 4 3 2 1
IExtr•m•I
serious
harm -
Business Very No
NATURIE OF HARM Appropriate
survival serious sar·ious significant
Measure
threatened ha.-rn harm Minor h~rm h.Jrm

Flnanclol loss Total financial Kshs 500+ Kshs .50-500 Kshs 5-50 Kshs. 0_5-5 Kshs 0-0_5
(loss of sales. unforeseen impact: n~illiiot, million ITilllion 111'lillion Million
~ts. l,egal liabilities, fraud}::.
Oeg,·aded performance Key lta rgets 10'Yo+ 5°/oto 10% 1°/oto 5% Less than 1 °A, No impact
(f3ilrure to achieve targets. loss of under-achieved
productivity) by:
Nul1!'lber staff- of 10,000+ 1,000 to 10,000 500 to 1.000 100 to 500 Oto 100
hours w.asted· staff..jhours staff-hours staff-hours staff-hours staff-hour.s

Loss of management control Key reco.rds not up- 1 month+ 1· to 4 week Fev.• days Fe•.v hours Little delay, no
(over key financ,a. health safety or to-da.te or accurate: delay, all delay, many delay. son-.e delay. .a fe•.v wrong entries
risks.) entries wrong ei,tries, wrong entries wrong entries
unreliable
Da,naged reputation (negative Reputation eroded 10°k+ of.sales 5°/oto 1 Oo/oof 1°k to 5o/.. of Less than 1°k No in11paot
publicity. regulatory d s.approval. 'W'i~h customers sales .sa~es of sales
litigation) reprreseinting:

Extent of Extensive Any negative .Any publicity No publicity No publicity

negative negative publicity
publicity: publicity
Regulatory action Serious Minor sanctions Regulation No regulatory No regulatory
la ken: sanctions in,posed breached irnpact impact
imposed
Extent of Pw-olonged Brief court case l\,1inor •court No impact No in,pact
litigation: court case
Aborted case Strategic Strategic
hn1>ai1·ed growth No impact No impact
(delayed nevv li11es of business or initiatives or Strategic initiatiive initiative
ne·.•.J \ien'fures) deadlines initiative ,del.aiyed .d elay,ed by
missed: aborted by VJeeks
rnorrtme Serious in,pact
Any other Refer to your IExtre:rnel'Y' Very .serious MJno.r impact No significant
(ie ·.vays not mentoned ab--ove) local serious in,pact in11pact lrnp.act
co-ordinator
Ple·ase note. all blue text ,can be customized to suit you the p.articu1ar circumstanoes of you1rr enterprise. The options av.ai:lable to you when
se9ect .a level of lhann are highlighted in red.

-f/
RISK ANALYSIS
-HEAT MAP ILLUSTRATION

Intolerable/Extremely Serious Harm

Major/Very Serious Harm

IMPACT
Significant/Serious Harm

Moderate/Minor Harm

Minor/No significant harm

Rare Unlikely Possible Likely Certain

LIKELIHOOD

Risk Indicator/ Risk Rating

High
Medium
Low
PURPOSE OF RISK ANALYSIS

• Assists the IS auditor in identifying risks and the threats to an IT

environment and IS system- risks and threats that would need
to be addressed by management and in identifying system-
specific internal controls

• Helps the IS Auditor in his/her evaluation of controls in audit

planning

• Assists the IS auditor in determining audit objectives

• Supports risk-based audit decision making

RISK MANAGEMENT

 Process of identifying vulnerabilities and threats to the

information resources used in an organisation in achieving
its business objectives and deciding what countermeasures
(safeguards/ controls), if any, to take in reducing the risk to
an acceptable level (i.e. residual risk ) based on the value of
the information resource to the orgarnisation.

 Effective risk management begins with an understanding of the

organizations appetite for risk.

 Risk Appetite: The amount of risk, on a broad level, that an entity

is willing to accept in pursuit of its objectives

 IT Risk Management comprises of identifying, analyzing,

evaluating, treating, monitoring and communicating the impact
of risk on IT processes
RISK TREATMENT (additional notes in PDC)

 Depending on the type of risk and significance to the business,

management and the board may choose to:

Avoid • Eliminate the risk by eliminating the cause

• Formally acknowledge the existence of the

Accept risk and monitor it

• Lessen the probability or impact of the

Mitigate risk by defining, implementing and
monitoring appropriate control

• Share risk with partners or transfer via

Transfer (deflect, insurance coverage . Contractual
agreement or other means
or allocate