Overview of IS Audit Standards, Guidelines

1
Overview of IS Audit Standards, Guidelines
Procedures

• Ang Swee Leong
• Secretary, ISACA Malaysia Chapter
• Senior Manager, Ernst Young

2
Agenda

• ISACA Standards, Guidelines Procedures for IS
  Auditing
• Standards
• Code of Professional Ethics
• Guidelines
• Procedures
• Putting it into Practice

3
ISACA Standards, Guidelines Procedures for IS
Auditing

• Standards for Information Systems Auditing
• Guidelines for IS Auditing
• Code of Professional Ethics
• Procedures for IS Auditing

4
Objectives for ISACAs Standards

• Minimum level of acceptable performance required
  to meet professional responsibilities set out in
  the Code of Professional Ethics.
• Mandatory requirements for IS auditing and
  reporting
• Inform Management and other interested parties of
  the professions expectations concerning the work
  of practitioners.

5
ISACA Code of Professional Ethics

• Provides guidance for the professional and
  personal conduct of
• members of the Association and/or
• holders of the CISA designation.

6
ISACA Guidelines for IS Auditing The IS Auditor
should

• Consider the guidelines in determining how to
  implement the above mentioned standards
• Auditing Standards
• Evidence and Evaluation
• Use professional judgement in applying them.
• Be able to justify any departure.

7
ISACA Audit Procedures

• provide examples of procedures an IS auditor
  might follow in an audit engagement.
• provide information on how to meet the standards
  when performing IS auditing work, but do not set
  requirements.
• should not be considered inclusive of any proper
  procedures and tests or exclusive of other
  procedures and tests that are reasonably directed
  to obtain the same results.

8
What these procedures provide

• Linkages to ISACAs Governance, Control and Audit
  Objectives for Information and related Technology
  (CObIT)
• an indication of what you ought know
• an indication of what you dont know
• Audit worksteps normally performed

9
What they dont provide

• IS Auditing Procedures
• dont replace complete methodologies
• should not be considered inclusive of any proper
  procedures and tests
• nor, exclusive of other procedures and tests
• does not replace
• professional judgment
• practical and technical experience, nor
• Appropriate workprograms and test of controls

10
Thank You
11
The (8) IS Auditing standards

• 010 Audit charter
• 020 Independence
• 030 Professional Ethics and Standards
• 040 Competence
• 050 Planning
• 060 Performance of Audit Work
• 070 Reporting (Form Content)
• 080 Follow-up activities

12
The (8) IS Auditing Guidelines

• 010 Audit charter
• 020 Independence
• 030 Professional Ethics and Standards
• 040 Competence
• 050 Planning
• 060 Performance of Audit Work
• 070 Reporting (Form Content)
• 080 Follow-up activities (Currently no
  guidelines)

13
Audit Guidelines of Evidence

• 010 Audit Documentation
• 020 Application Systems Review
• 030 Audit Evidence
• 040 Audit Sampling
• 050 IT Governance
• 060 Effect of Pervasive IS Controls
• 070 Use of CAATS
• 080 Use of Other Auditors and Experts
• 090 Business-to-consumer E-commerce Review
• 091 System Development Life Cycle (SDLC)
• 092 Internet Banking

14
ISACA Procedures for IS Auditing

• IS Risk Assessment
• Digital Signatures
• Intrusion Detection
• Viruses and Malicious Logic
• Controls Risk Self Assessment
• Firewalls
• Encryption Technologies
• Irregularities and Illegal Acts