ISACA IS Auditing Standards and Guidelines and Code of Professional Ethics

To ensure the audit is comprehensive, you will use guidelines to assist you in applying IS Auditing Standards. These standards define the mandatory requirements for IS auditing and reporting, as well as provide a minimum level of performance for auditors. The Information Systems Auditing Association (ISACA) provides the auditing community with guidance in the form of auditing guidelines, standards, and polices specific to information systems (IS) auditing. One of the goals of the ISACA is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards is a cornerstone of the ISACA professional contribution to the audit community. The ISACA framework for the IS Auditing Standards provides multiple levels of guidance for conducting IT audits.

There are 8 categories and 12 overall IS auditing standards. IS Auditing Standards are brief mandatory requirements for certification holders' reports on the audit and its findings. IS Auditing Guidelines and Procedures give detailed guidance on how to follow those standards. The IS Auditing Guidelines provide a framework an IS auditor normally follows, with the understanding that in some situations the auditor will not follow that guidance. In this case, it is the IS auditor's responsibility to justify the way in which the work is done. The Procedures examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. Table 1.1. provides ISACA's definition of standards, guidelines, and procedures.

Auditing Standards Explained

The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines, and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.

Codification

The eight standards categories are the first three digits in a document number. IS Auditing Standards begin with 0; Standards for IS Control Professionals begin with 5. The standards numbers are the second three numbers in the document. The third set of three digits in a document number is the number of the guideline. Procedures are listed separately and numbered consecutively by issue date.

For example, document 060.020.040 is a guideline. It provides guidance in the sixth standard category, Performance of Audit Work. The guidance applies to the second standard in that category, Evidence. It is the fourth guideline listed under Evidence. Procedures are numbered consecutively as they are issued, beginning with 1.

Use

It is suggested that during the annual audit program, as well as during individual reviews throughout the year, the IS auditor should review the standards to ensure compliance with them. The IS auditor can refer to the ISACA standards in the report, stating that the review was conducted in compliance with the laws of the country, applicable audit regulations, and ISACA standards. Table 1.2 is the ISACA framework for the IS auditor. This framework is broken down into multiple levels of guidance.

The primary purpose of an audit charter is to describe the authority and responsibilities of the audit department.

The ISACA Code of Professional Ethics

As an auditor, you will have access to a variety of information, including intellectual property, internal controls, legal contracts, internal procedures, and both business and IT strategies. ISACA has set forth a Code of Professional Ethics to guide the professional and personal conduct of members of the association and its certification holders.

Members and ISACA certification holders shall...

• Support the implementation of and encourage compliance with appropriate standards, procedures, and controls for information systems.

• Perform their duties with objectivity, due diligence, and professional care, in accordance with professional standards and best practices.

• Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.

• Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.

• Maintain competency in their respective fields and agree to undertake only those activities that they can reasonably expect to complete with professional competence.

• Inform appropriate parties of the results of work performed, revealing all significant facts known to them.

• Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or certification holder's conduct and, ultimately, in disciplinary measures.

As an auditor, it is important that you pay particular attention to maintaining the privacy and confidentiality of information obtained in the course of your duties and informing the appropriate parties of the results of work performed, revealing all significant facts known to you.

Although management is ultimately responsible for preventing and detecting irregular or illegal acts, you must plan the IT audit engagement based on the assessed level of risk that these acts might occur and design audit procedures that can identify these acts. The auditor then should create a report of the findings of the audit revealing all significant facts known to him or her.

As previously stated, auditors are not qualified to determine whether an irregular, illegal, or erroneous act has occurred. If during the course of the audit the auditor suspects that these acts have occurred, the auditor must report this to one or more of the following parties:

• The IS auditors' immediate supervisor and possibly the corporate governance bodies, such as the board of directors or audit committee

• Appropriate personnel within the organization, such as a manager who is at least one level above those who are suspected to have engaged in such acts

• Corporate governance bodies, if top management is suspected

• Legal counsel of other appropriate external experts

For more information on ISACA's auditing standards, guidelines, and code of professional ethics, visit www.isaca.org.

As we know, privacy is an issue at the forefront in today's society. A majority of organizations have developed privacy polices that outline how they collect, store, protect, and use private information, along with controls designed to protect private information. As an auditor, you will assess the strength and effectiveness of controls designed to protect personally identifiable information in organizations. This will help ensure that management develops, implements, and operates sound internal controls aimed at protecting the private information that it collects and stores during the normal course of business.

So far, we have provided you with auditors' responsibilities, the ISACA code of ethics, and definitions for guidelines, standards, and procedures for IS auditing. At this point, you might be asking yourself, "What am I getting myself into?" and "What is IS auditing really?"

Whether you are a financial auditor, are a network or security systems engineer, or are new to IS auditing, rest assured that we will guide you through the auditing process and assist you in understanding how the IS audit process and its components fit together. We start at the top by providing you with IS audit planning and management techniques.

As you read through the remainder of this chapter and the following chapters, keep in mind that we start from the auditor's perspective in planning the IS audit and add the components as we go along. Be sure to use all the resources available to you to completely understand the topic before moving forward. You have the CBT and the questions at the end of each chapter to keep you focused and on track. To help solidify the process and components in your mind as you read, apply the things you are learning to your own organization; try to envision the planning, documentation, and people you would communicate with (at both the management and operational levels); imagine what type of information you could expect to receive/review; and consider how you would communicate your results at all levels in the organization.

Keep in mind that the work you perform can directly assist in the successful assessment and mitigation of risk and overall security of the organization you are auditing. If performed successfully, it will be a factor in ensuring the success of the organization, management, employees, and continued service to customers. Good luck and have fun!