The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of ISACA is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are acornerstone of the ISACA professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance:
Standards define mandatory requirements for IS auditing and reporting. They inform: – IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code ofProfessional Ethics – Management and other interested parties of the profession’s expectations concerning the work of practitioners – Holders of the Certified Information Systems Auditor™ (CISA®) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and,ultimately, in disciplinary action. Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgement in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS AuditingStandards. Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.
Control Objectives forInformation and related Technology (COBIT) is an IT governance framework and supporting tool set that allows managers to bridge the gaps amongst control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organisations. It emphasises regulatory compliance, helps organisations increase the value attained from IT, enablesalignment and simplifies implementation of the COBIT framework. As defined in the COBIT framework, each of the following is organised by IT management process. COBIT is intended for use by business and IT management, as well as IS auditors; therefore, its usage enables the understanding of business objectives, communication of best practices and recommendations to be made around a commonly understoodand well-respected standard reference. COBIT and related products include:
Control objectives—Generic statements of minimum good control in relation to IT processes Management guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors. They provide a management-oriented framework for continuous and proactive controlself-assessment specifically focused on: – Performance measurement—How well is the IT function supporting business requirements? Management guidelines can be used to support self-assessment workshops, and they also can be used to support the implementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme. – IT control profiling—What IT processesare important? What are the critical success factors for control? – Awareness—What are the risks of not achieving the objectives? – Benchmarking—What do others do? How can results be measured and compared? Management guidelines provide example goals and metrics enabling assessment of IT performance in business terms. Maturity models and maturity attributes provide for capability assessments and...