IS Standards, Guidelines and Procedures for Auditing …

IS Standards, Guidelines and Procedures for

Auditing and Control Professionals

Code of Professional Ethics IS Auditing Standards, Guidelines and Procedures IS Control Professionals Standards

Current as of 15 January 2009

ISACA

2008-2009 BOARD OF DIRECTORS Lynn Lawton, CISA, FBCS, FCA, FIIA KPMG LLP, UK, International President George Ataya, CISA, CISM, CGEIT, CISSP ICT Control SA, Belgium, Vice President

Howard Nicholson, CISA, CGEIT City of Salisbury, Australia, Vice President Jose Angel Pena Ibarra, CGEIT Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President Robert E. Stroud CA Inc., USA, Vice President

Kenneth L. Vander Wal, CISA, CPA Ernst & Young LLP (retired), USA, Vice President Frank Yam, CISA, FHKCS, FHKloD Focus Strategic Group Inc., Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA Ernst & Young, USA, Past International President

Everett C. Johnson Jr., CPA Deloitte & Touche LLP (retired), USA, Past International President Gregory T. Grocholski, CISA The Dow Chemical Company, USA, Director

Tony Hayes Queensland Government, Australia, Director Jo Stewart-Rattray, CISA, CISM, CSEPS RSM Bird Cameron, Australia, Director

2008-2009 STANDARDS BOARD Ravi Muthukrishnan, CISA, CISM, FCA, ISCA Capco IT Services India Private Ltd, India, Chair

Shawn Chaput, CISA, CISM, CISSP PMP, Canada Maria Gonzalez, CISA, CISM Homeland Office, Spain

John Ho Chi, CISA, CISM, CBCP, CFE Ernst & Young, Singapore Andrew MacLeod, CISA, FCPA, MACS, PCP Brisbane City Council, Australia

John G. Ott, CISA, CPA AmerisourceBergen, USA Edgard Pelcher, CISA Office of the Auditor General of South Africa, South Africa

Jason Thompson, CISA, CIA, CISSP KPMG LLP, USA Meera Venkatesh, CISA, CISM, ACS, CISSP Microsoft Corporation, USA

IS Auditing Standards Disclaimer ISACA has designed this guidance as of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the security and control professional should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment.

IS Auditing Standards Disclosure and Copyright Notice 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written authorisation of ISACA. Reproduction of all or portions of this publication is solely permitted for academic, internal and non-commercial use, and must include full attribution as follows: " 2009 ISACA. This document is reprinted with the permission of ISACA." No other right or permission is granted with respect to this publication.

3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA

Telephone: +1.847.253.1545 Fax: +1.847.253.1443

E-mail: standards@ Web site:

2009 ISACA All rights reserved. Page 2

Table of Contents

Page

Code of Professional Ethics

4

How to Use this Publication

5

IS Auditing Standards Overview

6

Index of IS Auditing Standards, Guidelines and Procedures

7

IS Auditing Standards

9

Alpha List of IS Auditing Guidelines

27

IS Auditing Guidelines

28

IS Auditing Procedures

214

IS Control Professionals Standards

314

History

315

ISACA Standards Document Comment Form

316

3

Code of Professional Ethics

The Information Systems Audit and Control Association, Inc. (ISACA) sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the Association and/or its certification holders. Members and ISACA Certification holder's shall: 1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for

information systems. 2. Perform their duties with due diligence and professional care, in accordance with professional standards and best

practices. 3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and

character, and not engage in acts discreditable to the profession. 4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is

required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. 5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. 6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. 7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control. Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or certification holder's conduct and, ultimately, in disciplinary measures.

4

How to Use this Publication

Relationship of Standards to Guidelines and Procedures

IS Auditing Standards are mandatory requirements for certification holders' reports on the audit and its findings. IS Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS auditor's responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to be followed.

Codification

Standards are numbered consecutively as they are issued, beginning with S1 Guidelines are numbered consecutively as they are issued, beginning with G1 Procedures are numbered consecutively as they are issued, beginning with P1.

Use

It is suggested that during the annual audit program, as well as individual reviews throughout the year, the IS auditor should review the standards to ensure compliance with them. The IS auditor may refer to the ISACA standards in the report, stating that the review was conducted in compliance with the laws of the country, applicable audit regulations and ISACA standards.

Electronic Copies

All ISACA standards, guidelines and procedures are posted on the ISACA web site at standards.

Glossary

A full glossary of terms can be found on the ISACA web site at glossary.

5

IS Auditing Standards Overview

Issued by ISACA

The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of ISACA is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance:

Standards define mandatory requirements for IS auditing and reporting. They inform:

? IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors

? Management and other interested parties of the profession's expectations concerning the work of practitioners ? Holders of the Certified Information Systems Auditor (CISA?) designation of requirements. Failure to comply

with these standards may result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action.

Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to

achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents

provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

Control Objectives for Information and related Technology (COBIT) is published by the IT Governance Institute (ITGI). It is an information technology (IT) governance framework and supporting tool set that allows managers to bridge the gaps amongst control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organisations. It emphasises regulatory compliance, helps organisations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework's concepts. COBIT is intended for use by business and IT management as well as IS auditors; therefore, its usage enables the understanding of business objectives and communication of good practices and recommendations to be made around a commonly understood and well-respected framework. COBIT is available for download on the ISACA web site, cobit. As defined in the COBIT framework, each of the following related products and/or elements is organised by IT management process:

Control objectives--Generic statements of minimum good control in relation to IT processes Management guidelines--Guidance on how to assess and improve IT process performance, using maturity models;

Responsible, Accountable, Consulted and/or Informed (RACI) charts; goals; and metrics. They provide a management-oriented framework for continuous and proactive control self-assessment specifically focused on: ? Performance measurement ? IT control profiling ? Awareness ? Benchmarking

COBIT Control Practices--Risk and value statements and `how to implement' guidance for the control objectives IT Assurance Guide--Guidance for each control area on how to obtain an understanding, evaluate each control, assess

compliance and substantiate the risk of controls not being met

A glossary of terms can be found on the ISACA web site at glossary. The words audit and review are used interchangeably in IS Auditind Standards, Guidelines and Procedures.

Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of all proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, control professionals should apply thier own professional judgment to the specific control circumstances presented by the particular systems or information technology environment.

The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to identify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@), faxed (+1.847. 253.1443) or mailed to ISACA International Headquarters, 3701 Algonquin Road, Suite 1010, Rolling Meadows, IL 60008 USA, for the attention of the director of research standards and academic relations.

6

Index of IS Auditing Standards

S1 Audit Charter S2 Independence S3 Professional Ethics and Standards S4 Competence S5 Planning S6 Performance of Audit Work S7 Reporting S8 Follow-Up Activities S9 Irregularities and Illegal Acts S10 IT Governance S11 Use of Risk Assessment in Audit Planning S12 Audit Materiality S13 Using the Work of Other Experts S14 Audit Evidence S15 IT Controls S16 E-commerce

Effective Date

1 January 1 January 1 January 1 January 1 January 1 January 1 January 1 January 1 September 1 September 1 November 1 July 1 July 1 July 1February 1February

2005 2005 2005 2005 2005 2005 2005 2005 2005 2005 2005 2006 2006 2006 2008 2008

Index of IS Auditing Guidelines

G1 Using the Work of Other Auditors

1 June 1998 Revised 1 March

2008

G2 Audit Evidence Requirement

1 December 1998 Revised 1 May

2008

G3 Use of Computer Assisted Audit Techniques (CAATs)

1 December 1998 Revised 1 March

2008

G4 Outsourcing of IS Activities to Other Organisations

1 September 1999 Revised 1 May

2008

G5 Audit Charter

1 September 1999 Revised 1 February 2008

G6 Materiality Concepts for Auditing Information Systems

1 September 1999 Revised 1 May

2008

G7 Due Professional Care

1 September 1999 Revised 1 March

2008

G8 Audit Documentation

1 September 1999 Revised 1 March

2008

G9 Audit Considerations for Irregularities and Illegal Acts

1 March 2000 Revised 1 September 2008

G10 Audit Sampling

1 March 2000 Revised 1 August

2008

G11 Effect of Pervasive IS Controls

1 March 2000 Revised 1 August

2008

G12 Organisational Relationship and Independence

1 September 2000 Revised 1 August

2008

G13 Use of Risk Assessment in Audit Planning

1 September 2000 Revised 1 August

2008

G14 Application Systems Review

1 November 2001 Revised 1 October 2008

G15 Planning Revised

1 March

2002

G16 Effect of Third Parties on an Organisation's IT Controls

1 March

2002

G17 Effect of Nonaudit Role on the IS Auditor's Independence

1 July

2002

G18 IT Governance

1 July

2002

G19 Irregularities and Illegal Acts 1 July 2002

Withdrawn 1 September 2008

G20 Reporting

1 January 2003

G21 Enterprise Resource Planning (ERP) Systems Review

1 August

2003

G22 Business-to-consumer (B2C) E-commerce Review

1 August 2003 Revised 1 October 2008

G23 System Development Life Cycle (SDLC) Review Reviews

1 August

2003

G24 Internet Banking

1 August

2003

G25 Review of Virtual Private Networks

1 July

2004

G26 Business Process Reengineering (BPR) Project Reviews

1 July

2004

G27 Mobile Computing

1 September 2004

G28 Computer Forensics

1 September 2004

G29 Post-implementation Review

1 January 2005

G30 Competence

1 June

2005

G31 Privacy

1 June

2005

G32 Business Continuity Plan (BCP) Review From It Perspective

1 September 2005

G33 General Considerations on the Use of the Internet

1 March

2006

G34 Responsibility, Authority and Accountability

1 March

2006

G35 Follow-up Activities

1 March

2006

G36 Biometric Controls

1 February 2007

G37 Configuration Management Process

1 November 2007

G38 Access Controls

1 February 2008

G39 IT Organisation

1 May

2008

G40 Review of Security Management Practices

1 October 2008

7

Index of IS Auditing Procedures

P1 IS Risk Assessment P2 Digital Signatures P3 Intrusion Detection P4 Viruses and other Malicious Code P5 Control Risk Self-assessment P6 Firewalls P7 Irregularities and Illegal Acts P8 Security Assessment--Penetration Testing and Vulnerability Analysis P9 Evaluation of Management Controls Over Encryption Methodologies P10 Business Application Change Control P11 Electronic Funds Transfer (EFT)

1 July 1 July 1 August 1 August 1 August 1 August 1 November 1 September 1 January 1 October 1 May

2002 2002 2003 2003 2003 2003 2003 2004 2005 2006 2007

8

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download