Upload
suyashjain
View
213
Download
0
Embed Size (px)
Citation preview
8/7/2019 G1UsingWorkofExperts
1/2
Introduction
The specialised nature of informationsystems auditing, and the skills
necessary to perform such audits,require globally applicable standardsthat apply specifically to informationsystems auditing. One of theInformation Systems Audit andControl Association, Inc.s (ISACAs)goals is therefore to advancestandards to meet this need. Thedevelopment and dissemination ofStandards for Information SystemsAuditing are a cornerstone of theISACAs professional contribution tothe audit community.
Information systems auditing isdefined as any audit thatencompasses the review and
evaluation of any aspect of automatedinformation processing systems,including related nonautomatedprocesses, and the interfacesbetween them.
Objectives
The objectives of the ISACAsStandards for Information SystemsAuditing are to inform
Information systems auditors ofthe minimum level of acceptableperformance required to meet theprofessional responsibilities set out inthe Code of Professional Ethics forinformation systems auditors
Management and other interestedparties of the professionsexpectations concerning the work ofpractitioners
The objective of Guidelines forInformation Systems AuditingStandards is to provide furtherinformation on how to comply with theStandards for Information SystemsAuditing.
Scope and Authority of
Standards for Information
Systems Auditing
The framework for the ISACAsStandards for Information SystemsAuditing provides for multiple levels ofstandards, as follows:
Standards define mandatory
requirements for IS auditing andreporting.
Guidelines provide examples
of different types of informationsystems audit work and setrequirements for the work and itsreporting. They are standards tothe extent that an informationsystems auditor should be
prepared to justify departure.
Procedures provide examples
of procedures an informationsystems auditor might follow inan audit engagement. Theprocedure documents provideinformation on how to meet thestandards when doinginformation systems auditingwork, but do not setrequirements.
The ISACA Code of ProfessionalEthics requires members of theISACA and holders of the CertifiedInformation Systems Auditor (CISA)
designation to comply with InformationSystems Auditing Standards adoptedby the ISACA. Apparent failure tocomply with these may result in aninvestigation into the member's orCISA holder's conduct by the ISACABoard or appropriate ISACAcommittee and disciplinary action mayensue.
Development of Standards,
Guidelines and Procedures
The ISACA Standards Board iscommitted to wide consultation in thepreparation of Standards forInformation Systems Auditing,Guidelines and Procedures. Prior toissuing any documents, the StandardsBoard issues exposure draftsinternationally for general publiccomment. The Standards Board alsoseeks out those with a specialexpertise or interest in the topic underconsideration for consultation wherenecessary.
The Standards Board has an on-goingdevelopment programme, and wouldwelcome the input of members of theISACA and holders of the CISAdesignation to identify emergingissues requiring new standardsproducts. Any suggestions should bee-mailed ([email protected]) orfaxed (+1.847. 253.1443) to ISACAsInternational Office, for the attention ofthe Director of Research, Standardsand Academic Relations.
Document G1
8/7/2019 G1UsingWorkofExperts
2/2
1. BACKGROUND
1.1 Linkage to Standards
1.1.1 Standard S6 Performance of
Audit Work states During the courseof the audit, the IS auditor shouldobtain sufficient, reliable and relevantevidence to achieve the audit
objectives. The audit findings andconclusions are to be supported byappropriate analysis and interpretationof this evidence.
1.2 Need for Guideline
1.2.1 The interdependency of
customers and suppliers processingand the outsourcing of non-coreactivities mean that an IS auditor(internal or external) will often find thatparts of the environment being auditedare controlled and audited by otherindependent functions ororganisations. This guideline sets outhow the IS auditor should comply with
the above standard in thesecircumstances. Compliance with thisguideline is not mandatory, but the ISauditor should be prepared to justifydeviation from it.
2. AUDIT CHARTER
2.1 Rights of Access to the
Work of Other Auditors or
Experts
2.1.1 The IS auditor should ensure
that, where the work of other auditorsor experts is relevant to the IS auditobjectives, the audit charter or
engagement letter specifies the ISauditors right of access to this work.
3. PLANNING
3.1 Planning Considerations
3.1.1 When an IS audit involves
using the work of other auditors orexperts, the IS auditor should considertheir activities and their effect on theIS audit objectives while planning theIS audit work. The planning processshould include Assessing the independence and
objectivity of the other auditors orexperts
Assessing their professionalcompetence
Obtaining an understanding oftheir scope of work and approach
Determining the level of reviewrequired
3.2 Independence and
Objectivity
3.2.1 The processes for selection
and appointment, the organisational
status, the reporting line and the effectof their recommendations onmanagement practices are indicatorsof the independence and objectivity ofother auditors and experts.
3.3 Professional Competence
3.3.1 The qualifications, experience
and resources of other auditors andexperts should all be taken intoaccount in assessing professionalcompetence.
3.4 Scope of Work and
Approach
3.4.1 Scope of work and approach
ordinarily will be evidenced by theotherauditors or experts written auditcharter, terms of reference or letter ofengagement.
3.5 Level of Review Required
3.5.1 The nature, timing and extentof audit evidence required will dependupon the significance of the other ISauditors or experts work. The ISauditors planning process shouldidentify the level of review which isrequired to provide sufficient reliable,relevant and useful audit evidence toachieve the overall IS audit objectiveseffectively. The IS auditor shouldconsider reviewing the other auditorsor experts final report, auditprogramme(s) and audit workpapers.The IS auditor should also considerwhether supplemental testing of theother auditors or experts work isrequired.
4. PERFORMANCE OF AUDIT
WORK
4.1 Review of Other Auditors
or Experts Workpapers
4.1.1 Where a review of the other
auditors or experts workpapers isnecessary, the IS auditor shouldperform sufficient audit work toconfirm that the other auditors orexperts work was appropriatelyplanned, supervised, documented andreviewed and to consider theappropriateness and sufficiency of the
audit evidence provided by them.Compliance with relevant professionalstandards should also be assessed.
4.2 Review of Other Auditors
or Experts Report(s)
4.2.1 The IS auditor should perform
sufficient reviews of the other auditorsor experts final report(s) to confirmthat the scope specified in the auditcharter, terms of reference or letter ofengagement has been met, that any
significant assumptions used by theother auditors or experts have beenidentified and that the findings andconclusions reported have beenagreed by management.
4.2.2 It may be appropriate for
management to provide their ownreport on the audited entities, inrecognition of their primary
responsibility for systems of internalcontrol. In this case the IS auditorshould consider the managementsand auditors report together.
4.2.3 The IS auditor should assess
the usefulness and appropriateness ofreports issued by the other auditorsand experts, and should consider anysignificant findings reported by theother auditors or experts. It is the ISauditors responsibility to assess theeffect of the other auditors or expertsfindings and conclusions on theoverall audit objective, and to verifythat any additional work required tomeet the overall audit objective is
completed.
5. FOLLOW-UP ACTIVITIES
5.1 Implementation of
Recommendations
5.1.1 Where appropriate, the IS
auditor should consider the extent towhich management has implementedany recommendationsof the other auditor or expert.
6. EFFECTIVE DATE
6. 6.1 This guideline is effective for
all information systems audits
beginning on or after 1 June1998.
APPENDIX/GLOSSARY
Independence - selfgovernance,
freedom from conflict of interest andundue influence.
Objectivity - ability to exercise
judgment, express opinions andpresent recommendations withimpartiality.
Professional Competence -
proven level of ability, often linked toqualifications issued by relevantprofessional bodies and compliancewith their codes of practice andstandards.
Copyright 1998Information Systems Audit and ControlAssociation3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USATelephone: +1.847.253.1545Fax: +1.847.253.1443Email: [email protected] Site: http://www.isaca.org