IS AUDITING GUIDELINE

AUDIT EVIDENCE REQUIREMENT

Document G2
Introduction
The specialised nature of information
systems auditing, and the skills
necessary to perform such audits,
require globally applicable standards
that apply specifically to information
systems auditing. One of the
Information Systems Audit and
Control Association, Inc.s (ISACAs)
goals is therefore to advance
standards to meet this need. The
development and dissemination of
Standards for Information Systems
Auditing are a cornerstone of the
ISACAs professional contribution to
the audit community.
Objectives
The objectives of the ISACAs
Standards for Information Systems
Auditing are to inform

Information Systems Auditors of

the minimum level of acceptable
performance required to meet the
professional responsibilities set
out in the Code of Professional
Ethics for Information Systems
Auditors

Management and other interested

parties of the professions
expectations concerning the work
of practitioners
The objective of IS Auditing
Guidelines is to provide further
information on how to comply with the
Information Systems Auditing
Standards.

Scope and Authority of

Standards for Information
Systems Auditing
The framework for the ISACAs
Information Systems Auditing
Standards provides for multiple levels
of standards, as follows:
Standards define mandatory
requirements for IS auditing and
reporting.
Guidelines provide guidance in
applying IS auditing standards.
The IS Auditor should consider
them in determining how to
achieve implementation of the
above standards, use professional
judgment in their application and
be prepared to justify any
departure.
Procedures provide examples
of procedures an IS Auditor might
follow in an audit engagement.
The procedure documents provide
information on how to meet the
standards when doing information
systems auditing work, but do not
set requirements.
The ISACA Code of Professional
Ethics requires members of the
ISACA and holders of the Certified
Information Systems Auditor (CISA)
designation to comply with Information
Systems Auditing Standards adopted
by the ISACA. Apparent failure to
comply with these may result in an
investigation into the member's or
CISA holder's conduct by the ISACA
Board or appropriate ISACA
committee and disciplinary action may
ensue.

Development of Standards,
Guidelines and Procedures
The ISACA Standards Board is
committed to wide consultation in the
preparation of Information Systems
Auditing Standards, Guidelines and
Procedures. Prior to issuing any
documents, the Standards Board
issues exposure drafts internationally
for general public comment. The
Standards Board also seeks out those
with a special expertise or interest in
the topic under consideration for
consultation where necessary.
The Standards Board has an on-going
development programme, and would
welcome the input of members of the
ISACA and holders of the CISA
designation to identify emerging
issues requiring new standards
products. Any suggestions should be
e-mailed (research@isaca.org) or
faxed (+1.847. 253 .1443) to ISACAs
International Office, for the attention of
the Director of Research, Standards
and Academic Relations.
Withdrawal of Previously
Issued Documents
This Guideline replaces the previously
issued Statement on Information
Systems Auditing Standard Number 3
on Evidence Requirement. SISAS 3
will be withdrawn on 1 December
1998.

Information Systems Audit and Control Association

1998-1999 STANDARDS BOARD
Chair, Lynn Christine Lawton, CISA, FCA, FIIA, PIIA KPMG,United Kingdom
John W. Beveridge, CISA, CFE, CGFM Commonwealth of Massachusetts, USA
Marcelo Abdo Centeio Companhia Siderurgica Nacional, Brazil
Claudio Cilli, CISA Ernst & Young, Italy
Svein Erik Dovran, CISA The Banking Insurance and Securities Commission, Norway
Stephen W. Head, CISA, CPA, CPCU, CMA, CFE, CISSP, CBCP Royal Insurance, USA
Fred Lilly, CISA, CPA Fred L. Lilly, CPA, USA
Ai Lin Ong, ACA, CISA, PA PricewaterhouseCoopers, Malaysia
David W. Powell, CISA, ACA, CIA Deloitte Touche Tohmatsu, Australia

1.

BACKGROUND

Linkage to Standards
1.1
1.1.1
Standard S6 Performance of
Audit Work states During the course of the
audit, the IS auditor should obtain
sufficient, reliable and relevant evidence to
achieve the audit objectives. The audit
findings and conclusions are to be
supported by appropriate analysis and
interpretation of this evidence.
1.2
Need for Guideline
1.2.1
The purpose of this Guideline is
to define the word evidence as used in
standard S6 of the IS Auditing Standards
and to address the type and sufficiency of
audit evidence used in information systems
auditing.
1.2.2
This Guideline provides
guidance in applying IS auditing standards.
The IS Auditor should consider it in
determining how to achieve
implementation of the above Standard, use
professional judgment in its application and
be prepared to justify any departure.
2.

PLANNING

2.1
Types of Audit Evidence
2.1.1
When planning the IS audit work,
the IS Auditor should take into account the
type of audit evidence to be gathered, its
use as audit evidence to meet audit
objectives, and its varying levels of
reliability. Among the things to be
considered are the independence and
qualifications of the provider of the audit
evidence. For example, corroborative
audit evidence from an independent third
party can be more reliable than audit
evidence from the organisation being
audited. Physical audit evidence is
generally more reliable than the
representations of an individual.
2.1.2
The various types of audit
evidence which the IS Auditor should
consider using include:
Observed processes and existence of
physical items
Documentary audit evidence
Representations
Analysis
2.1.3
Observed processes and
existence of physical items can include
observations of activities, property and
information systems functions, such as:
An inventory of media in an offsite
storage location
A computer room security system in
operation
2.1.4
Documentary audit evidence,
recorded on paper or other media, can
include:
Results of data extractions
Records of transactions
Program listings
Invoices
Activity and control logs

System development documentation

Page 2 of 2 Audit Evidence Requirement Guideline

2.1.5 Representations of those being

audited can be audit evidence, such as:
Written policies and procedures
System flowcharts
Written or oral statements
2.1.6 The results of analysing
information through comparisons,
simulations, calculations and reasoning
can also be used as audit evidence.
Examples include:
Benchmarking IS performance
against other organisations or past
periods
Comparison of error rates between
applications, transactions and users
Availability of Audit
Evidence
2.2.1 The IS Auditor should consider the
time during which information exists or is
available in determining the nature, timing,
and extent of substantive testing, and, if
applicable, compliance testing. For
example, audit evidence processed by
Electronic Data Interchange (EDI),
Document Image Processing (DIP), and
dynamic systems such as spreadsheets,
may not be retrievable after a specified
period of time if changes to the files are not
controlled or the files are not backed up.

2.2

Selection of Audit Evidence

2.3
2.3.1 The IS Auditor should plan to use
the best audit evidence attainable
consistent with the importance of the audit
objective and the time and effort involved
in obtaining the audit evidence.
2.3.2 Where audit evidence obtained in
the form of oral representations is critical to
the audit opinion or conclusion, the IS
Auditor should consider obtaining
documentary confirmation of the
representations, either on paper or on
other media.
3.

PERFORMANCE OF AUDIT
WORK

3.1
Nature of Audit Evidence
3.1.1 Audit evidence should be sufficient,
reliable, relevant, and useful in order to
form an opinion or support the IS Auditors
findings and conclusions. If, in the IS
Auditors judgment, the audit evidence
obtained does not meet these criteria, the
IS Auditor should obtain additional audit
evidence. For example, a program listing
may not be adequate audit evidence until
other audit evidence has been gathered to
verify that it represents the actual program
used in the production process.
Gathering Audit Evidence
3.2
3.2.1 Procedures used to gather audit
evidence vary depending on the
information system being audited. The IS
Auditor should select the most appropriate
procedure for the audit objective. The
following procedures should be
considered:
Inquiry
Observation
Inspection
Confirmation
Reperformance

Monitoring

3.2.2 The above can be applied through

the use of manual audit procedures,
computer-assisted audit techniques, or a
combination of both. For example:
A system which uses manual control
totals to balance data entry
operations might provide audit
evidence that the control procedure is
in place by way of an appropriately
reconciled and annotated report. The
IS Auditor should obtain audit
evidence by reviewing and testing this
report
Detailed transaction records may only
be available in machine-readable
format requiring the IS Auditor to
obtain audit evidence using computerassisted audit techniques
3.3
Audit Documentation
3.3.1 Audit evidence gathered by the IS
Auditor should be appropriately
documented and organised to support the
IS Auditors findings and conclusions.
4.

REPORTING

4.1
Restriction of Scope
4.1.1 In those situations where the IS
Auditor believes sufficient audit evidence
cannot be obtained, the IS Auditor should
disclose this fact in a manner consistent
with the communication of the audit results.
5.

EFFECTIVE DATE

5.1 This Guideline is effective for all

information systems audits beginning on or
after 1 December 1998.
APPENDIX - GLOSSARY
Audit Evidence - the Information
Systems Auditor (IS Auditor) gathers
information in the course of performing an
IS audit. The information used by the IS
Auditor to meet audit objectives is referred
to as audit evidence (evidence).
Relevant Audit Evidence - audit
evidence is relevant if it pertains to the
audit objectives and has a logical
relationship to the findings and conclusions
it is used to support.
Reliable Audit Evidence - audit
evidence is reliable if, in the IS Auditors
opinion, it is valid, factual, objective and
supportable.
Sufficient Audit Evidence - audit
evidence is sufficient if it is complete,
adequate, convincing and would lead
another IS Auditor to form the same
conclusions.
Useful Audit Evidence - audit
evidence is useful if it assists IS Auditors in
meeting their audit objectives.
Copyright 1998
Information Systems Audit and Control Association
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
Fax: +1.847.253.1443
Email: research@isaca.org
Web Site: http://www.isaca.org