Professional Documents
Culture Documents
Development of Standards,
Guidelines and Procedures
The ISACA Standards Board is
committed to wide consultation in the
preparation of Information Systems
Auditing Standards, Guidelines and
Procedures. Prior to issuing any
documents, the Standards Board
issues exposure drafts internationally
for general public comment. The
Standards Board also seeks out those
with a special expertise or interest in
the topic under consideration for
consultation where necessary.
The Standards Board has an on-going
development programme, and would
welcome the input of members of the
ISACA and holders of the CISA
designation to identify emerging
issues requiring new standards
products. Any suggestions should be
e-mailed (research@isaca.org) or
faxed (+1.847. 253 .1443) to ISACAs
International Office, for the attention of
the Director of Research, Standards
and Academic Relations.
Withdrawal of Previously
Issued Documents
This Guideline replaces the previously
issued Statement on Information
Systems Auditing Standard Number 3
on Evidence Requirement. SISAS 3
will be withdrawn on 1 December
1998.
1.
BACKGROUND
Linkage to Standards
1.1
1.1.1
Standard S6 Performance of
Audit Work states During the course of the
audit, the IS auditor should obtain
sufficient, reliable and relevant evidence to
achieve the audit objectives. The audit
findings and conclusions are to be
supported by appropriate analysis and
interpretation of this evidence.
1.2
Need for Guideline
1.2.1
The purpose of this Guideline is
to define the word evidence as used in
standard S6 of the IS Auditing Standards
and to address the type and sufficiency of
audit evidence used in information systems
auditing.
1.2.2
This Guideline provides
guidance in applying IS auditing standards.
The IS Auditor should consider it in
determining how to achieve
implementation of the above Standard, use
professional judgment in its application and
be prepared to justify any departure.
2.
PLANNING
2.1
Types of Audit Evidence
2.1.1
When planning the IS audit work,
the IS Auditor should take into account the
type of audit evidence to be gathered, its
use as audit evidence to meet audit
objectives, and its varying levels of
reliability. Among the things to be
considered are the independence and
qualifications of the provider of the audit
evidence. For example, corroborative
audit evidence from an independent third
party can be more reliable than audit
evidence from the organisation being
audited. Physical audit evidence is
generally more reliable than the
representations of an individual.
2.1.2
The various types of audit
evidence which the IS Auditor should
consider using include:
Observed processes and existence of
physical items
Documentary audit evidence
Representations
Analysis
2.1.3
Observed processes and
existence of physical items can include
observations of activities, property and
information systems functions, such as:
An inventory of media in an offsite
storage location
A computer room security system in
operation
2.1.4
Documentary audit evidence,
recorded on paper or other media, can
include:
Results of data extractions
Records of transactions
Program listings
Invoices
Activity and control logs
2.2
PERFORMANCE OF AUDIT
WORK
3.1
Nature of Audit Evidence
3.1.1 Audit evidence should be sufficient,
reliable, relevant, and useful in order to
form an opinion or support the IS Auditors
findings and conclusions. If, in the IS
Auditors judgment, the audit evidence
obtained does not meet these criteria, the
IS Auditor should obtain additional audit
evidence. For example, a program listing
may not be adequate audit evidence until
other audit evidence has been gathered to
verify that it represents the actual program
used in the production process.
Gathering Audit Evidence
3.2
3.2.1 Procedures used to gather audit
evidence vary depending on the
information system being audited. The IS
Auditor should select the most appropriate
procedure for the audit objective. The
following procedures should be
considered:
Inquiry
Observation
Inspection
Confirmation
Reperformance
Monitoring
REPORTING
4.1
Restriction of Scope
4.1.1 In those situations where the IS
Auditor believes sufficient audit evidence
cannot be obtained, the IS Auditor should
disclose this fact in a manner consistent
with the communication of the audit results.
5.
EFFECTIVE DATE