ISACA Member and Certification Holder
The specialized nature of information systems (IS) audit and assurance and
the skills necessary to perform such engagements require standards that apply
specifically to IS audit and assurance. The development and dissemination of the
IS audit and assurance standards are a cornerstone of the ISACA® professional
contribution to the audit community.
IS audit and assurance standards define mandatory requirements for IS auditing.
They report and inform:
• IS audit and assurance professionals of the minimum level of acceptable
performance required to meet the professional responsibilities set out in the
ISACA Code of Professional Ethics
• Management and other interested parties of the profession’s expectations
concerning the work of practitioners
• Holders of the Certified Information Systems Auditor® (CISA®) designation
of requirements. Failure to comply with these standards may result in an
investigation into the CISA holder’s conduct by the ISACA Board of Directors or
appropriate committee and, ultimately, in disciplinary action.
ITAFTM, 3rd Edition
( www.isaca.org/itaf) provides a framework for multiple levels of guidance:
IS Audit and Assurance Standards
The standards are divided into three categories:
• General standards (1000 series)—Are the guiding principles under which the
IS assurance profession operates. They apply to the conduct of all assignments
and deal with the IS audit and assurance professional’s ethics, independence,
objectivity and due care as well as knowledge, competency and skill.
• Performance standards (1200 series)—Deal with the conduct of the
assignment, such as planning and supervision, scoping, risk and materiality,
resource mobilization, supervision and assignment management, audit and
assurance evidence, and the exercising of professional judgment and due care.
• Reporting standards (1400 series)—Address the types of reports, means of
communication and the information communicated.
Please note that the guidelines are effective 1 September 2014.
1001 Audit Charter
1002 Organizational Independence
1003 Professional Independence
1004 Reasonable Expectation
1005 Due Professional Care
1201 Engagement Planning
1202 Risk Assessment in Planning
1203 Performance and Supervision
1206 Using the Work of Other Experts
1207 Irregularity and Illegal Acts
1402 Follow-up Activities
IS Audit and Assurance Guidelines
The guidelines are designed to directly support the standards and help
practitioners achieve alignment with the standards. They follow the same
categorization as the standards (also divided into three categories):
• General guidelines (2000 series)
• Performance guidelines (2200 series)
• Reporting guidelines (2400 series)
2001 Audit Charter
2002 Organizational Independence
2003 Professional Independence
2004 Reasonable Expectation
2005 Due Professional Care
2201 Engagement Planning
2202 Risk Assessment in Planning
2203 Performance and Supervision
2206 Using the Work of Other Experts
2207 Irregularity and Illegal Acts
2402 Follow-up Activities
IS Audit and Assurance Tools and Techniques
These documents provide additional guidance for IS audit and assurance
professionals and consist, among other things, of white papers, IS audit/assurance
programs, reference books and the COBIT® 5 family of products. Tools and
techniques are listed under www.isaca.org/itaf.
An online glossary of terms used in ITAF is provided at www.isaca.org/glossary.
Prior to issuing any new standard or guideline, an exposure draft is
issued internationally for general public comment.
Comments may also be submitted to the attention of the Director,
Thought Leadership and Research via email ( firstname.lastname@example.org);
fax (+ 1.847.253.1755) or postal mail (ISACA International Headquarters,
3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008-3105,
Links to current and exposed ISACA Standards, Guidelines, and Tools
and Techniques are posted at www.isaca.org/standards.
Disclaimer: ISACA has designed this guidance as the minimum
level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics.
ISACA makes no claim that use of these products will assure a
successful outcome. The guidance should not be considered inclusive
of any proper procedures and tests or exclusive of other procedures
and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific procedure or test, the control
professionals should apply their own professional judgment to the
specific control circumstances presented by the particular systems or IS
tools and techniques