IS Standards, Guidelines and Procedures for Auditing and Control ...

More documents

Recommendations

Info

information provided, appropriate testing or other procedures should be undertaken to ascertain the true position or status prior toconcluding follow-up activities.09 A report on the status of follow-up activities, including agreed recommendations not implemented, may be presented to the auditcommittee if one has been established, or alternatively to the appropriate level of entity management.10 As a part of the follow-up activities, the IS auditor should evaluate whether findings if not implemented are still relevant.Operative Date11 This IS Auditing Standard is effective for information systems audits beginning 1 January 2005.S9 Irregularities and Illegal ActsIntroduction01 ISACA standards contain basic principles and essential procedures identified in bold type, which are mandatory, together withrelated guidance.02 The purpose of this ISACA Standard is to establish and provide guidance on irregularities and illegal acts that the IS auditor shouldconsider during the audit process.Standard03 In planning and performing the audit to reduce audit risk to a low level, the IS auditor should consider the risk ofirregularities and illegal acts.04 The IS auditor should maintain an attitude of professional skepticism during the audit, recognising the possibilitythat material misstatements due to irregularities and illegal acts could exist, irrespective of his/her evaluation of therisk of irregularities and illegal acts.05 The IS auditor should obtain an understanding of the organisation and its environment, including internal controls.06 The IS auditor should obtain sufficient and appropriate audit evidence to determine whether management or otherswithin the organisation have knowledge of any actual, suspected or alleged irregularities and illegal acts.07 When performing audit procedures to obtain an understanding of the organisation and its environment, the ISauditor should consider unusual or unexpected relationships that may indicate a risk of material misstatements dueto irregularities and illegal acts.08 The IS auditor should design and perform procedures to test the appropriateness of internal control and the risk ofmanagement override of controls.09 When the IS auditor identifies a misstatement, the IS auditor should assess whether such a misstatement may beindicative of an irregularity or illegal act. If there is such an indication, the IS auditor should consider the implicationsin relation to other aspects of the audit and in particular the representations of management.10 The IS auditor should obtain written representations from management at least annually or more often depending onthe audit engagement. It should:• Acknowledge its responsibility for the design and implementation of internal controls to prevent and detectirregularities or illegal acts• Disclose to the IS auditor the results of the risk assessment that a material misstatement may exist as a result ofan irregularity or illegal act• Disclose to the IS auditor its knowledge of irregularities or illegal acts affecting the organisation in relation to:– Management– Employees who have significant roles in internal control• Disclose to the IS auditor its knowledge of any allegations of irregularities or illegal acts, or suspectedirregularities or illegal acts affecting the organisation as communicated by employees, former employees,regulators and others11 If the IS auditor has identified a material irregularity or illegal act, or obtains information that a material irregularity orillegal act may exist, the IS auditor should communicate these matters to the appropriate level of management in atimely manner.12 If the IS auditor has identified a material irregularity or illegal act involving management or employees who havesignificant roles in internal control, the IS auditor should communicate these matters in a timely manner to thosecharged with governance.13 The IS auditor should advise the appropriate level of management and those charged with governance of materialweaknesses in the design and implementation of internal control to prevent and detect irregularities and illegal actsthat may have come to the IS auditor’s attention during the audit.14 If the IS auditor encounters exceptional circumstances that affect the IS auditor’s ability to continue performing theaudit because of a material misstatement or illegal act, the IS auditor should consider the legal and professionalresponsibilities applicable in the circumstances, including whether there is a requirement for the IS auditor to reportto those who entered into the engagement or in some cases those charged with governance or regulatory authoritiesor consider withdrawing from the engagement.15 The IS auditor should document all communications, planning, results, evaluations and conclusions relating tomaterial irregularities and illegal acts that have been reported to management, those charged with governance,regulators and others.Commentary16 The IS auditor should refer to IS Auditing Guideline G19, Irregularities and Illegal Acts, for a definition of what constitutes anirregularity and illegal act.17 The IS auditor should obtain reasonable assurance that there are no material misstatements due to irregularities and illegal acts.An IS auditor cannot obtain absolute assurance because of factors such as the use of judgement, the extent of testing and theinherent limitations of internal controls. Audit evidence available to the IS auditor during an audit should be persuasive in naturerather than conclusive.12
18 The risk of not detecting a material misstatement resulting from an illegal act is higher than the risk of not detecting a materialmisstatement resulting from an irregularity or error, because illegal acts may involve complex schemes designed to conceal or hideevents or intentional misrepresentations to the IS auditor.19 The IS auditor’s previous experience and knowledge of the organisation should assist the IS auditor during the audit. When makinginquiries and performing audit procedures, the IS auditor should not be expected to fully disregard past experience, but should beexpected to maintain a level of professional scepticism. The IS auditor should not be satisfied with less than persuasive auditevidence based on a belief that management and those charged with governance are honest and have integrity. The IS auditor andthe engagement team should discuss the organisation’s susceptibility to irregularities and illegal acts as part of the planningprocess and throughout the duration of the audit.20 To evaluate the risk of material irregularities and illegal acts existence, the IS auditor should consider the use of:• His/her previous knowledge and experience with the organisation (including his/her experience about the honesty andintegrity of management and those charged with governance)• Information obtained making inquiries of management• Management representations and internal control sign-offs• Other reliable information obtained during the course of the audit• Management’s assessment of the risk of irregularities and illegal acts, and its process for identifying and responding to theserisks21 The following guidance should be referred to for further information on irregularities and illegal acts:• IS Auditing Guideline G5, Audit Charter• COBIT Framework, control objective DS3, DS5, DS9, DS11 and PO6• Sarbanes-Oxley Act of 2002• Foreign Corrupt Practices Act 1977Operative Date22 This ISACA Standard is effective for all information systems audits beginning on or after 1 September 2005.S10 IT GovernanceIntroduction01 ISACA standards contain basic principles and essential procedures identified in bold type, which are mandatory, together with relatedguidance.02 The purpose of this ISACA standard is to establish and provide guidance on IT governance areas that the IS auditor needs to considerduring the audit process.Standard03 The IS auditor should review and assess whether the IS function aligns with the organisation’s mission, vision,values, objectives and strategies.04 The IS auditor should review whether the IS function has a clear statement about the performance expected by thebusiness (effectiveness and efficiency) and assess its achievement.05 The IS auditor should review and assess the effectiveness of IS resource and performance management processes.06 The IS auditor should review and assess compliance with legal, environmental and information quality, and fiduciaryand security requirements.07 A risk-based approach should be used by the IS auditor to evaluate the IS function.08 The IS auditor should review and assess the control environment of the organisation.09 The IS auditor should review and assess the risks that may adversely effect the IS environment.Additional Guidance10 The IS auditor should refer to IS Auditing Guideline G18, IT Governance.11 The IS auditor should review and assess the risks of the IS working environment that support business processes. The ISaudit activity should assist the organisation by identifying and evaluating significant exposures to risk and contributing to theimprovement of risk management and control systems.12 IT governance can be reviewed by itself or considered in every review carried out of the IS function.13 The IS auditor should refer to the following guidance for further information on IT governance:• IS Auditing Guidelines:– G5 Audit Charter– G6 Materiality Concepts for Auditing Information Systems– G12 Organisational Relationship and Independence– G13 Use of Risk Assessment in Audit Planning– G15 Planning– G16 Effect of Third Parties on an Organisation’s IT Controls– G17 Effect of a Nonaudit Role on the IS Auditor’s Independence• COBIT Management Guidelines• COBIT Framework, Control Objectives; this standard relates to all control objectives inall COBIT domains.• Board Briefing on IT Governance, 2 nd Edition, IT Governance Institute• IT Control Objectives for Sarbanes-Oxley, IT Governance Institute• US Sarbanes-Oxley Act of 2002 and other specific regulations could be alsoapplicable.13
Page 1: IS Standards, Guidelines and Proced
Page 4 and 5: Code of Professional EthicsThe Info
Page 6 and 7: IS Auditing Standards OverviewIssue
Page 8 and 9: IS Auditing StandardsIssued by Info
Page 10 and 11: 03 The IS auditor should plan the i
Page 14 and 15: Operative Date14 This ISACA standar
Page 16 and 17: IS Auditing GuidelinesG1 Using the
Page 18 and 19: G2 Audit Evidence Requirement1. BAC
Page 20 and 21: G3 Use of Computer Assisted Audit T
Page 22 and 23: G3 Use of Computer Assisted Audit T
Page 24 and 25: G4 Outsourcing of IS Activities to
Page 26 and 27: G5 Audit Charter continued2.3.2 The
Page 28 and 29: G6 Materiality Concepts for Auditin
Page 30 and 31: G8 Audit Documentation1. BACKGROUND
Page 32 and 33: • Organisational characteristics;
Page 34 and 35: G10 Audit Sampling1. BACKGROUND1.1
Page 36 and 37: G10 Audit Sampling continued2.5.2 A
Page 38 and 39: G11 Effect of Pervasive IS Controls
Page 40 and 41: G11 Effect of Pervasive IS Controls
Page 42 and 43: G12 Organisational Relationship and
Page 44 and 45: G13 Use of Risk Assessment in Audit
Page 46 and 47: G14 Application Systems Review1. BA
Page 48 and 49: G15 Planning1.` BACKGROUND1.1 Linka
Page 50 and 51: G16 Effect of Third Parties on an O
Page 52 and 53: G16 Effect of Third Parties on an O
Page 54 and 55: G17 Effect of Nonaudit Role on the
Page 56 and 57: G17 Effect of Nonaudit Role on the
Page 58 and 59: G18 IT Governance continued4.1.3 Th
Page 60 and 61: G18 IT Governance continued• Info
Page 62 and 63:
G19 Irregularities and Illegal Acts
Page 64 and 65:
G19 Irregularities and Illegal Acts
Page 66 and 67:
G20 Reporting continued2.1.1 The pu
Page 68 and 69:
G20 Reporting continued• Statemen
Page 70 and 71:
G21 Enterprise Resource Planning (E
Page 72 and 73:
Page 74 and 75:
Page 76 and 77:
Page 78 and 79:
G22 Business-to-consumer (B2C) E-co
Page 80 and 81:
Page 82 and 83:
Page 84 and 85:
Page 86 and 87:
G23 System Development Life Cycle (
Page 88 and 89:
G23 System Development Life Cycle (
Page 90 and 91:
G24 Internet Banking continued• I
Page 92 and 93:
G24 Internet Banking continued6.1.2
Page 94 and 95:
G24 Internet Banking continued7.2.4
Page 96 and 97:
G24 Internet Banking continuedREFER
Page 98 and 99:
G25 Review of Virtual Private Netwo
Page 100 and 101:
3.6 Operating Risk3.6.1 Risks such
Page 102 and 103:
• Highlight the risks and issues
Page 104 and 105:
G26 Business Process Reengineering
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
G27 Mobile Computing1. BACKGROUND1.
Page 112 and 113:
G27 Mobile Computing continued• N
Page 114 and 115:
G28 Computer Forensics1. BACKGROUND
Page 116 and 117:
G28 Computer Forensics continued•
Page 118 and 119:
G28 Computer Forensics continued7.2
Page 120 and 121:
G29 Post-implementation Review1. BA
Page 122 and 123:
G29 Post-implementation Review cont
Page 124 and 125:
G29 Post-implementation Review cont
Page 126 and 127:
G30 Competence continued1.4.6 This
Page 128 and 129:
G30 Competence conntinued4. RECORDS
Page 130 and 131:
G31 Privacy continued1.6 Definition
Page 132 and 133:
G31 Privacy continued■■■Secur
Page 134 and 135:
G31 Privacy continued■■■■
Page 136 and 137:
IS Auditing ProceduresIS Risk Asses
Page 138 and 139:
IS Risk Assessment Measurement Proc
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Digital Signature and Key Managemen
Page 152 and 153:
SpecificTechnicalAspect of a CAOper
Page 154 and 155:
Intrusion Detection Procedure P3 co
Page 156 and 157:
Intrusion Detection Systems (IDS) R
Page 158 and 159:
ReportingSuggested ProceduresReport
Page 160 and 161:
Suggested Procedures for Preventing
Page 162 and 163:
Suggested Procedures for Preventing
Page 164 and 165:
Control Risk Self-assessment Proced
Page 166 and 167:
Page 168 and 169:
Facilitatedworkshop usingthe proces
Page 170 and 171:
Page 172 and 173:
Firewalls Procedure P6 continued2.1
Page 174 and 175:
Page 176 and 177:
Firewalls Procedure P6 continued•
Page 178 and 179:
Page 180 and 181:
Stateful inspection/dynamic packetf
Page 182 and 183:
Suggested ProceduresConfirm network
Page 184 and 185:
Firewalls Procedure P6 continuedHar
Page 186 and 187:
Irregularities and Illegal Acts Pro
Page 188 and 189:
AnalyticalproceduresDutiesApplicati
Page 190 and 191:
Irregularities and Illegal Acts Pro
Page 192 and 193:
Security Assessment-Penetration Tes
Page 194 and 195:
Security Assessment-Penetration Tes
Page 196 and 197:
InternetPenetrationTestingSuggested
Page 198 and 199:
InternalPenetrationTestingcontinued
Page 200 and 201:
WebApplicationcontinuedReportSugges
Page 202 and 203:
Evaluation of Management Control Ov
Page 204 and 205:
Evaluation of Management Control Ov
Page 206 and 207:
Aspects ofEncryptionOrganisationalm
Page 208 and 209:
IS Control Professionals StandardsI
Page 210:
ISACA Standards Documents CommentsI
show all

IS Standards, Guidelines and Procedures for Auditing and Control ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?