prev
next
out of 2

G1UsingWorkofExperts

Embed Size (px)

Citation preview

  • 8/7/2019 G1UsingWorkofExperts

    1/2

    Introduction

    The specialised nature of informationsystems auditing, and the skills

    necessary to perform such audits,require globally applicable standardsthat apply specifically to informationsystems auditing. One of theInformation Systems Audit andControl Association, Inc.s (ISACAs)goals is therefore to advancestandards to meet this need. Thedevelopment and dissemination ofStandards for Information SystemsAuditing are a cornerstone of theISACAs professional contribution tothe audit community.

    Information systems auditing isdefined as any audit thatencompasses the review and

    evaluation of any aspect of automatedinformation processing systems,including related nonautomatedprocesses, and the interfacesbetween them.

    Objectives

    The objectives of the ISACAsStandards for Information SystemsAuditing are to inform

    Information systems auditors ofthe minimum level of acceptableperformance required to meet theprofessional responsibilities set out inthe Code of Professional Ethics forinformation systems auditors

    Management and other interestedparties of the professionsexpectations concerning the work ofpractitioners

    The objective of Guidelines forInformation Systems AuditingStandards is to provide furtherinformation on how to comply with theStandards for Information SystemsAuditing.

    Scope and Authority of

    Standards for Information

    Systems Auditing

    The framework for the ISACAsStandards for Information SystemsAuditing provides for multiple levels ofstandards, as follows:

    Standards define mandatory

    requirements for IS auditing andreporting.

    Guidelines provide examples

    of different types of informationsystems audit work and setrequirements for the work and itsreporting. They are standards tothe extent that an informationsystems auditor should be

    prepared to justify departure.

    Procedures provide examples

    of procedures an informationsystems auditor might follow inan audit engagement. Theprocedure documents provideinformation on how to meet thestandards when doinginformation systems auditingwork, but do not setrequirements.

    The ISACA Code of ProfessionalEthics requires members of theISACA and holders of the CertifiedInformation Systems Auditor (CISA)

    designation to comply with InformationSystems Auditing Standards adoptedby the ISACA. Apparent failure tocomply with these may result in aninvestigation into the member's orCISA holder's conduct by the ISACABoard or appropriate ISACAcommittee and disciplinary action mayensue.

    Development of Standards,

    Guidelines and Procedures

    The ISACA Standards Board iscommitted to wide consultation in thepreparation of Standards forInformation Systems Auditing,Guidelines and Procedures. Prior toissuing any documents, the StandardsBoard issues exposure draftsinternationally for general publiccomment. The Standards Board alsoseeks out those with a specialexpertise or interest in the topic underconsideration for consultation wherenecessary.

    The Standards Board has an on-goingdevelopment programme, and wouldwelcome the input of members of theISACA and holders of the CISAdesignation to identify emergingissues requiring new standardsproducts. Any suggestions should bee-mailed ([email protected]) orfaxed (+1.847. 253.1443) to ISACAsInternational Office, for the attention ofthe Director of Research, Standardsand Academic Relations.

    Document G1

  • 8/7/2019 G1UsingWorkofExperts

    2/2

    1. BACKGROUND

    1.1 Linkage to Standards

    1.1.1 Standard S6 Performance of

    Audit Work states During the courseof the audit, the IS auditor shouldobtain sufficient, reliable and relevantevidence to achieve the audit

    objectives. The audit findings andconclusions are to be supported byappropriate analysis and interpretationof this evidence.

    1.2 Need for Guideline

    1.2.1 The interdependency of

    customers and suppliers processingand the outsourcing of non-coreactivities mean that an IS auditor(internal or external) will often find thatparts of the environment being auditedare controlled and audited by otherindependent functions ororganisations. This guideline sets outhow the IS auditor should comply with

    the above standard in thesecircumstances. Compliance with thisguideline is not mandatory, but the ISauditor should be prepared to justifydeviation from it.

    2. AUDIT CHARTER

    2.1 Rights of Access to the

    Work of Other Auditors or

    Experts

    2.1.1 The IS auditor should ensure

    that, where the work of other auditorsor experts is relevant to the IS auditobjectives, the audit charter or

    engagement letter specifies the ISauditors right of access to this work.

    3. PLANNING

    3.1 Planning Considerations

    3.1.1 When an IS audit involves

    using the work of other auditors orexperts, the IS auditor should considertheir activities and their effect on theIS audit objectives while planning theIS audit work. The planning processshould include Assessing the independence and

    objectivity of the other auditors orexperts

    Assessing their professionalcompetence

    Obtaining an understanding oftheir scope of work and approach

    Determining the level of reviewrequired

    3.2 Independence and

    Objectivity

    3.2.1 The processes for selection

    and appointment, the organisational

    status, the reporting line and the effectof their recommendations onmanagement practices are indicatorsof the independence and objectivity ofother auditors and experts.

    3.3 Professional Competence

    3.3.1 The qualifications, experience

    and resources of other auditors andexperts should all be taken intoaccount in assessing professionalcompetence.

    3.4 Scope of Work and

    Approach

    3.4.1 Scope of work and approach

    ordinarily will be evidenced by theotherauditors or experts written auditcharter, terms of reference or letter ofengagement.

    3.5 Level of Review Required

    3.5.1 The nature, timing and extentof audit evidence required will dependupon the significance of the other ISauditors or experts work. The ISauditors planning process shouldidentify the level of review which isrequired to provide sufficient reliable,relevant and useful audit evidence toachieve the overall IS audit objectiveseffectively. The IS auditor shouldconsider reviewing the other auditorsor experts final report, auditprogramme(s) and audit workpapers.The IS auditor should also considerwhether supplemental testing of theother auditors or experts work isrequired.

    4. PERFORMANCE OF AUDIT

    WORK

    4.1 Review of Other Auditors

    or Experts Workpapers

    4.1.1 Where a review of the other

    auditors or experts workpapers isnecessary, the IS auditor shouldperform sufficient audit work toconfirm that the other auditors orexperts work was appropriatelyplanned, supervised, documented andreviewed and to consider theappropriateness and sufficiency of the

    audit evidence provided by them.Compliance with relevant professionalstandards should also be assessed.

    4.2 Review of Other Auditors

    or Experts Report(s)

    4.2.1 The IS auditor should perform

    sufficient reviews of the other auditorsor experts final report(s) to confirmthat the scope specified in the auditcharter, terms of reference or letter ofengagement has been met, that any

    significant assumptions used by theother auditors or experts have beenidentified and that the findings andconclusions reported have beenagreed by management.

    4.2.2 It may be appropriate for

    management to provide their ownreport on the audited entities, inrecognition of their primary

    responsibility for systems of internalcontrol. In this case the IS auditorshould consider the managementsand auditors report together.

    4.2.3 The IS auditor should assess

    the usefulness and appropriateness ofreports issued by the other auditorsand experts, and should consider anysignificant findings reported by theother auditors or experts. It is the ISauditors responsibility to assess theeffect of the other auditors or expertsfindings and conclusions on theoverall audit objective, and to verifythat any additional work required tomeet the overall audit objective is

    completed.

    5. FOLLOW-UP ACTIVITIES

    5.1 Implementation of

    Recommendations

    5.1.1 Where appropriate, the IS

    auditor should consider the extent towhich management has implementedany recommendationsof the other auditor or expert.

    6. EFFECTIVE DATE

    6. 6.1 This guideline is effective for

    all information systems audits

    beginning on or after 1 June1998.

    APPENDIX/GLOSSARY

    Independence - selfgovernance,

    freedom from conflict of interest andundue influence.

    Objectivity - ability to exercise

    judgment, express opinions andpresent recommendations withimpartiality.

    Professional Competence -

    proven level of ability, often linked toqualifications issued by relevantprofessional bodies and compliancewith their codes of practice andstandards.

    Copyright 1998Information Systems Audit and ControlAssociation3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USATelephone: +1.847.253.1545Fax: +1.847.253.1443Email: [email protected] Site: http://www.isaca.org


One Flew Over the Cuckoo's Nest

One Flew Over the Cuckoo's Nest

Documents
Chapter 23

Chapter 23

Documents
Cakes Recipes

Cakes Recipes

Documents
Star Wars Trivia!

Star Wars Trivia!

Documents
Oedipus The King: The Ideal Tragic Play

Oedipus The King: The Ideal Tragic Play

Documents
Acetone Peroxide

Acetone Peroxide

Documents
How Computer Keyboards Work

How Computer Keyboards Work

Documents
Plato - Symposium

Plato - Symposium

Documents
I Am a Holocaust Denier and I Am Unafraid

I Am a Holocaust Denier and I Am Unafraid

Documents
Fortran

Fortran

Documents
Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Documents
(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Documents
The Dutch Republic In International Trade

The Dutch Republic In International Trade

Documents
Simple Functions in Haskell

Simple Functions in Haskell

Documents
Do you admire Leonardo da Vinci?

Do you admire Leonardo da Vinci?

Documents
Keyboard Shortcuts for the Opera Browser for Mac OS X

Keyboard Shortcuts for the Opera Browser for Mac OS X

Documents
Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Documents
The Best American Humorous Short Stories

The Best American Humorous Short Stories

Documents
How Computer Monitors Work

How Computer Monitors Work

Documents
Bhagavad Gita

Bhagavad Gita

Documents
European Colinization of Latin America

European Colinization of Latin America

Documents
The Last Carnival I Ever Saw

The Last Carnival I Ever Saw

Documents
Disclaimer

Disclaimer

Documents
Venture Capital

Venture Capital

Documents
Algorithms

Algorithms

Documents
xCDC14a

xCDC14a

Documents
Heidegger Kritik

Heidegger Kritik

Documents
Chapter 24

Chapter 24

Documents
Aesops Fables

Aesops Fables

Documents
Jan Van Eyck and the Man In A Red Turban

Jan Van Eyck and the Man In A Red Turban

Documents