IS Standards, Guidelines and Procedures for Auditing and ...

IS Standards, Guidelines and

Procedures for

Auditing and Control Professionals

?

?

?

Code of Professional Ethics

IS Auditing Standards, Guidelines and Procedures

IS Control Professionals Standards

Current as of 15 January 2009

ISACA

2008-2009 BOARD OF DIRECTORS

Lynn Lawton, CISA, FBCS, FCA, FIIA KPMG LLP, UK, International President

George Ataya, CISA, CISM, CGEIT, CISSP ICT Control SA, Belgium, Vice President

Howard Nicholson, CISA, CGEIT City of Salisbury, Australia, Vice President

Jose Angel Pena Ibarra, CGEIT Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President

Robert E. Stroud CA Inc., USA, Vice President

Kenneth L. Vander Wal, CISA, CPA Ernst & Young LLP (retired), USA, Vice President

Frank Yam, CISA, FHKCS, FHKloD Focus Strategic Group Inc., Hong Kong, Vice President

Marios Damianides, CISA, CISM, CA, CPA Ernst & Young, USA, Past International President

Everett C. Johnson Jr., CPA Deloitte & Touche LLP (retired), USA, Past International President

Gregory T. Grocholski, CISA The Dow Chemical Company, USA, Director

Tony Hayes Queensland Government, Australia, Director

Jo Stewart-Rattray, CISA, CISM, CSEPS RSM Bird Cameron, Australia, Director

2008-2009

Ravi Muthukrishnan, CISA, CISM, FCA, ISCA

Shawn Chaput, CISA, CISM, CISSP

Maria Gonzalez, CISA, CISM

John Ho Chi, CISA, CISM, CBCP, CFE

Andrew MacLeod, CISA, FCPA, MACS, PCP

John G. Ott, CISA, CPA

Edgard Pelcher, CISA

Jason Thompson, CISA, CIA, CISSP

Meera Venkatesh, CISA, CISM, ACS, CISSP

STANDARDS BOARD

Capco IT Services India Private Ltd, India, Chair

PMP, Canada

Homeland Office, Spain

Ernst & Young, Singapore

Brisbane City Council, Australia

AmerisourceBergen, USA

Office of the Auditor General of South Africa, South Africa

KPMG LLP, USA

Microsoft Corporation, USA

IS Auditing Standards Disclaimer

ISACA has designed this guidance as of the minimum level of acceptable performance required to meet the professional

responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim that use of this

product will assure a successful outcome. The publication should not be considered inclusive of all proper information,

procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the

same results. In determining the propriety of any specific information, procedure or test, the security and control

professional should apply his/her own professional judgement to the specific circumstances presented by the particular

systems or information technology environment.

IS Auditing Standards Disclosure and Copyright Notice

?2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,

displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying,

recording or otherwise), without the prior written authorisation of ISACA. Reproduction of all or portions of this publication

is solely permitted for academic, internal and non-commercial use, and must include full attribution as follows: "? 2009

ISACA. This document is reprinted with the permission of ISACA." No other right or permission is granted with respect to

this publication.

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA

Telephone: +1.847.253.1545

Fax: +1.847.253.1443

E-mail: standards@

Web site:

? 2009 ISACA All rights reserved. Page 2

Table of Contents

Page

Code of Professional Ethics

4

How to Use this Publication

5

IS Auditing Standards Overview

6

Index of IS Auditing Standards, Guidelines and Procedures

7

IS Auditing Standards

9

Alpha List of IS Auditing Guidelines

27

IS Auditing Guidelines

28

IS Auditing Procedures

214

IS Control Professionals Standards

314

History

315

ISACA Standards Document Comment Form

316

3

Code of Professional Ethics

The Information Systems Audit and Control Association?, Inc. (ISACA) sets forth this Code of Professional Ethics to guide

the professional and personal conduct of members of the Association and/or its certification holders.

Members and ISACA Certification holder¡¯s shall:

1.

Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for

information systems.

2.

Perform their duties with due diligence and professional care, in accordance with professional standards and best

practices.

3.

Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and

character, and not engage in acts discreditable to the profession.

4.

Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is

required by legal authority. Such information shall not be used for personal benefit or released to inappropriate

parties.

5.

Maintain competency in their respective fields and agree to undertake only those activities, which they can

reasonably expect to complete with professional competence.

6.

Inform appropriate parties of the results of work performed; revealing all significant facts known to them.

7.

Support the professional education of stakeholders in enhancing their understanding of information systems security

and control.

Failure to comply with this Code of Professional Ethics can result in an investigation into a member¡¯s or certification

holder¡¯s conduct and, ultimately, in disciplinary measures.

4

How to Use this Publication

Relationship of Standards to Guidelines and Procedures

IS Auditing Standards are mandatory requirements for certification holders¡¯ reports on the audit and its findings. IS

Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines

are guidance an IS auditor will normally follow with the understanding that there may be situations where the auditor will

not follow that guidance. In this case, it will be the IS auditor's responsibility to justify the way in which the work is done.

The procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing

Guidelines. The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide

information on following the IS Auditing Standards. To some extent, they also establish best practices for procedures to

be followed.

Codification

Standards are numbered consecutively as they are issued, beginning with S1

Guidelines are numbered consecutively as they are issued, beginning with G1

Procedures are numbered consecutively as they are issued, beginning with P1.

Use

It is suggested that during the annual audit program, as well as individual reviews throughout the year, the IS auditor

should review the standards to ensure compliance with them. The IS auditor may refer to the ISACA standards in the

report, stating that the review was conducted in compliance with the laws of the country, applicable audit regulations and

ISACA standards.

Electronic Copies

All ISACA standards, guidelines and procedures are posted on the ISACA web site at standards.

Glossary

A full glossary of terms can be found on the ISACA web site at glossary.

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download