7/28/2019 S15-IT-Controls-14Nov07.pdf

1/3

IS AUDITING STANDARD

The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that applyspecifically to IS auditing. One of the goals of ISACA is to advance globally applicable standards to meet its vision. The development anddissemination of the IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. The frameworkfor the IS Auditing Standards provides multiple levels of guidance:

Standards define mandatory requirements for IS auditing and reporting. They inform: IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA

Code of Professional Ethics Management and other interested parties of the professions expectations concerning the work of practitioners Holders of the Certified Information Systems Auditor

(CISA

) designation of requirements. Failure to comply with these

standards may result in an investigation into the CISA holders conduct by the ISACA Board of Directors or appropriate ISACAcommittee and, ultimately, in disciplinary action.

Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieveimplementation of the standards, use professional judgement in their application and be prepared to justify any departure. Theobjective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provideinformation on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the ISAuditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

Control Objectives for Information and related Technology (COBIT) is an information technology (IT) governance framework andsupporting tool set that allows managers to bridge the gaps amongst control requirements, technical issues and business risks. C OBITenables clear policy development and good practice for IT control throughout organisations. It emphasises regulatory compliance, helpsorganisations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT frameworks concepts.COBIT is intended for use by business and IT management as well as IS auditors; therefore, its usage enables the understanding ofbusiness objectives and communication of good practices and recommendations to be made around a commonly understood and well-respected framework. COBIT is available for download on the ISACA web site, www.isaca.org/cobit.As defined in the COBIT framework,each of the following related products and/or elements is organised by IT management process:

Control objectivesGeneric statements of minimum good control in relation to IT processes Management guidelinesGuidance on how to assess and improve IT process performance, using maturity models; Responsible,

Accountable, Consulted and/or Informed (RACI) charts; goals; and metrics. They provide a management-oriented framework forcontinuous and proactive control self-assessment specifically focused on: Performance measurement

IT control profiling Awareness Benchmarking

COBIT Control PracticesRisk and value statements and how to implement guidance for the control objectives IT Assurance GuideGuidance for each control area on how to obtain an understanding, evaluate each control, assess compliance

and substantiate the risk of controls not being met

A glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeablyin the IS Auditing Standards, Guidelines and Procedures.

Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professionalresponsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successfuloutcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and teststhat are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controlsprofessional should apply his/her own professional judgement to the specific control circumstances presented by the particular systems orinformation technology environment.

The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures.Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The StandardsBoard also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. TheStandards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties toidentify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org), faxed (+1.847. 253.1443) ormailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards andacademic relations. This material was issued 1 December 2007.

S15 IT CONTROLS

7/28/2019 S15-IT-Controls-14Nov07.pdf

2/3

S15 IT Controls Page 2

S15 IT Controls

Introduction01 ISACA standards contain the basic, mandatory principles and essential procedures, identified in bold

type (black lettering), together with related guidance.02 The purpose of this ISACA standard is to establish standards and provide guidance regarding IT

controls.

Standard03 The IS auditor should evaluate and monitor IT control s that are an integral part of the internal

contro l environment of the organisation.04 The IS auditor should assist management by providing advice regarding the design,

implementation, operation and improvement of IT controls.

Commentary05 Management is accountable for the internal control environment of an organisation including IT

controls. An internal control environment provides the discipline, framework and structure for theachievement of the primary objective of the system of internal control.

06 COBIT defines control as the policies, procedures, practices and organisational structures, designed toprovide reasonable assurance that business objectives will be achieved and that undesired events will

be prevented or detected and corrected. Also, COBI

T defines a control objective as a statement of thedesired result or purpose to be achieved by implementing control procedures in a particular process.07 IT controls are comprised of general IT controls, which include pervasive IT controls, detailed IT

controls and application controls, and refer to controls over the acquisition, implementation, delivery andsupport of IT systems and services.

08 General IT controls are controls that minimise risk to the overall functioning of the organisations ITsystems and infrastructure and to a broad set of automated solutions (applications).

09 Application controls are a set of controls embedded within applications.10 Pervasive IT controls are general IT controls that are designed to manage and monitor the IT

environment and, therefore, affect all IT-related activities. They are a subset of general controls, beingthose general IT controls that focus on the management and monitoring of IT.

11 Detailed IT controls are made up of application controls plus those general IT controls not included inpervasive IT controls.

12 The IS auditor shoulduse an appropriate risk assessment technique or approach in developing the

overall IS audit plan and in determining priorities for the effective allocation of IS audit resources toprovide assurance regarding the state of IT control processes. Control processes are the policies,procedures and activities that are part of a control environment, designed to ensure that risks arecontained within the risk tolerances established by the risk management process.

13 The IS auditor should consider the use of data analysis techniques including the use of continuousassurance, which allows IS auditors to monitor system reliability on a continuous basis and to gatherselective audit evidence through the computer when reviewing IT controls.

14 When organisations use third parties, they can become a key component in an organisation's controlsand its achievement of related control objectives. The IS auditor should evaluate the role that the thirdparty performs in relation to the IT environment, related controls and IT control objectives.

15 The following ISACA and IT Governance Institute (ITGI) guidance should be referred to for furtherinformation regarding IT controls:

Guideline G3 Use of Computer-assisted Audit Techniques (CAATs)

Guideline G11 Effect of Pervasive IS Controls Guideline G13 Using Risk Assessment in Audit Planning Guideline G15 Planning

Guideline G16 Effect of Third Parties on an Organisation's IT Controls

Guideline G20 Reporting Guideline G36 Biometric Controls Guideline G38 Access Controls COBIT framework and control objectives

7/28/2019 S15-IT-Controls-14Nov07.pdf

3/3