Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

ISACA CISA Exam > ISACA ITAF (General Standards/Guidelines) > Flashcards

ISACA ITAF (General Standards/Guidelines) Flashcards

(41 cards)

Start Studying
1
Q

Standards: Audit Charter (1001)

A
  1. 1) The IT audit and assurance function shall document the audit function appropriately in an audit charter, indicating purpose, responsibility, authority and accountability.
  2. 2) The IT audit and assurance function shall have the audit charter agreed upon and formally approved by those charged with governance and oversight of the audit function, e.g., the board of directors and/or the audit committee.
  3. 3) The IT audit and assurance function shall communicate the audit charter to executive/senior management. Also, relevant elements of the audit charter shall be shared with groups being audited at entrance meetings and/or through engagement letters.
  4. 4) Through review of the audit charter on a periodic basis, the audit and assurance function’s responsibilities, as reflected in the audit charter, shall remain aligned with the enterprise’s mission and strategies. Immediate review of the audit charter is warranted should the enterprise’s mission or strategies change, or if the audit function’s responsibilities change.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Guidelines: Audit Charter (1001) - What should an Audit Charter document?

A

An audit charter shall document the IT audit and assurance function’s:

  • Independence, code of ethics and standards
  • Purpose, responsibility, authority and accountability
  • Protocols that the IT audit and assurance practitioner will follow in the performance of engagements, including but not limited to communication and escalation
  • Roles and responsibilities of the auditee during the IT audit or assurance engagement
  • The IT audit and assurance function’s role in reporting irregularities and illegal acts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Guidelines: Audit Charter (1001) - What is the Purpose of the Audit Function?

A

The purpose of the audit function is to:

Evaluate and test the design and execution of controls implemented by management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Guidelines: Audit Charter (1001) - What is the Responsibility of the Audit Function?

A

The responsibility of the audit function is to:

Add value to the enterprise, ensuring that organizational perspectives such as strategy, mission and regulatory/compliance expectations are integrated in its work, and to abide by professional expectations (e.g., ethics, professional development).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Guidelines: Audit Charter (1001) - The Audit Charter should contain the following sections to facilitate the Audit Function’s Responsibilities..

A
  • Independence: Independence requirement for the audit function and practitioners. Independence should be assessed periodically (at least annually). Results of independence assessment and potential impairments of independence should be reported to Board of Directors and/or Audit Committee.

**Should also establish whether the practitioners are permitted to perform nonaudit services or roles, and the broad nature/timing/extent of such services or roles to ensure that objectivity/independence are not impaired*

  • Relationship with External Audit Firms: Details the audit function’s reliance strategy with the external auditor (meeting with them to coordinate, providing access to workpapers/evidence, considering the work planned by external auditors when drafting the audit plan for the coming period)
  • Auditee’s Expectations: Detail the services and deliverables the auditees can expect from the audit function and practitioners (description of identified problems/consequences/possible resolutions; may also note SLA for delivering final report to management, response to auditee complaints, reporting process, agreement with management on findings, etc.)
  • Auditee Requirements: All auditees are required to make themselves available and assist the audit function in fulfilling their assigned responsibilities.
  • Abide by Professional Standards
  • Compliance: Compliance with standards that detail the requirements with which the audit function will adhere to.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Guidelines: Audit Charter (1001) - What is the Authority of the Audit Function?

How is this detailed in the Audit Charter?

A

Authority of the audit function should contain the following sections:

  • Right of Access: Right of Access to relevant information, systems (including logs/activities built into the systems), personnel, and locations.

The Audit Function has authorized access to any and all records/documentation/systems/locations/etc. necessary to perform the audit engagement. Can seek assistance from Executive Management in obtaining such access.

The Audit Function has the authority to seek any information from an employee/consultant/contractor when performing the audit engagement.

  • Limitations of Authority (if any)
  • Processes to be Audited: Processes that the audit function is authorized to audit - i.e., the audit function is free to determine that processes it will audit, based on the risk-based audit plan.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Guidelines: Audit Charter (1001) - What is the Accountability of the Audit Function?

How is this detailed in the Audit Charter?

A
  • Distributing Written Communications: i.e. distributing reports for audits (and memoranda for non-audit engagements) to the appropriate stakeholders and the Board of Directors and/or the Audit Committee.
  • Monitoring and Reporting of Management’s Progress: i.e. monitoring of management’s agreed-on implementations/corrective actions.
  • Reporting of the Audit Function’s Performance Metrics: i.e. reporting on performance relative to the audit plan and budget to the Board of Directors and/or the Audit Committee.
  • Reporting to Those Charged with Governance/Oversight of the Audit Function: i.e. reporting on the audit function’s independence and any potential impairments.
  • Quality Assurance Process: That establishes an understanding of auditee needs/expectations relevant to the audit function (i.e. interviews, surveys, etc.). These needs should be evaluated against the Audit Charter.
  • Staffing Rules for Audit Engagements: Reliance on the Audit Charter permitting non-audit services (i.e. consulting) to ensure that independence and objectivity are not impaired.

Also establishes the minimum time period that must elapse before practitioners can participate on audit engagements in areas they performed non-audit/consulting services.

Penalties when the audit function fails to carry out its responsibilities.

Frequence and communication channels through which the audit function will communicate with the auditees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Standards: Organizational Independence (1002)

A
  1. 1) The audit function shall (must) be free from conflicts of interest and undue influence (influence by which a person is induced to act otherwise than by their own free will) in all matters related to audit and assurance engagements. Any impairment of independence (in fact or appearance) is identified and disclosed to the appropriate parties.
  2. 2) The audit function shall (must) have a functional reporting relationship (e.g., reporting to the board of directors) that supports the function’s ability to remain free from undue influence.
  3. 3) The audit function shall (must) have an administrative reporting relationship that supports the function’s unhindered performance of its responsibilities (e.g., scope of engagement, fieldwork or reporting).

Functional Reporting Relationship: Shows the “chain of command” so to speak at the functional level: who makes decisions, and who executes, even if one is not the formal “boss” of the other.

Administrative Reporting Relationship: Shows the boss/subordinate relationship in its formalistic structure, without regard to function. In some organization, a person may be formally attached to a department without having anything to with them functionally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Guidelines: Organizational Independence (1002) - What should the Audit Function’s position be in the enterprise/business?

A

The Audit Function must have a position in the business that allows it to perform its responsibilities without interference.

This can be achieved by:

  • In the Audit Charter, establishing in the audit function as an independent function/department outside of operational departments. The Audit Function should not be assigned any operational responsibilities/activities.
  • Ensuring that the Audit Function reports to a level within the business that allows it to achieve organization independence (i.e. NOT reporting to the head of an operational department).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Guidelines: Organizational Independence (1002) - What roles should the Audit Function avoid performing in the enterprise/business?

A
  • The Audit Function should avoid performing non-audit roles in IT initiatives that require assumption of management’s responsibilities (because it could impair future independence).
  • The Audit Function’s independence could be impaired if an auditor is scheduled to plan/participate on an engagement in an area in which the auditor previously had direct management responsibility (if the defined acceptable timeframe has not yet passed).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Guidelines: Organizational Independence (1002) - Who should the Audit Function report to in the enterprise/business?

WHAT should the Audit Function report to those charged with governance for input/approval?

A

The Audit Function should report to a level that allows it to act with complete organizational independence.

Independence should be defined in the Audit Charter and confirmed by the Board of Directors and those charged with governance on a regular basis (at least annually.)

To ensure organizational independence, the following should be reported to those charged with governance (i.e. Board of Directors) for their input and/or approval:

  • Audit resource plan & budget
  • Risk-based audit plan
  • Performance follow-up performed by the Audit Function on audit activity
  • Follow-up of significant scope/resource limitations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Standards: Auditor Objectivity (1003)

A

IT audit and assurance practitioners shall be objective in all matters related to audit and assurance engagements.

Practitioners (Auditors) are required to identify, evaluate, and address potential threats to objectivity or independence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Guidelines: Auditor Objectivity (1003) - What should an auditor do when appropriate safeguards are not available/cannot be applied to eliminate objectivity threats or reduce threats to an acceptable level?

A

The practitioner (auditor) should either (1) eliminate the circumstance or relationship creating the threats, or (2) decline or terminate the audit or assurance engagement.

If the auditor cannot decline or terminate the engagement, appropriate disclosure of the impairment to objectivity or independence must be made to those charged with governance (i.e. Board of Directors), and included in any report resulting from the engagement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Guidelines: Auditor Objectivity (1003) - What factors/situations may create a threat to an auditor’s objectivity?

A

1) Self-Interest: i.e. financial interest influences the auditor’s professional judgement.
2) Self-Review: The threat that auditors will not appropriately evaluate results of previous judgements made/service performed, which the auditor relies upon when forming judgements in the current engagement.
3) Advocacy: Auditor promotes an auditee’s (i.e. operational team member’s) position to the point that professional objectivity is compromised.
4) Familiarity: Due to a long or close relationship with an auditee (auditor becomes too sympathetic to the interest of the auditee and is then too accepting of their work/views/arguments).
5) Intimidation: Actual and/or perceived pressures (including auditee attempts to exercise undue influence on auditors).
6) Bias: Political, ideological, social, psychological, other convictions
7) Management Participation: Resulting from the auditor taking on the role of management/performing management functions on behalf of the entity undergoing an audit or assurance engagement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Guidelines: Auditor Objectivity (1003) - When should an auditor specifically NOT perform non-audit services?

A

An auditor should not perform nonaudit services or roles in areas where it is likely that a current or future audit or assurance engagement is planned and would likely be performed by the same
auditor.

If the entity has no other recourse (i.e., engaging an alternative internal or external
resource), the auditor’s involvement in the non-audit service should be approved by the chief audit executive (or VP/director of audit) and by those formally charged with governance and oversight of the audit function (e.g., the board of directors and/or the audit committee).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Guidelines: Auditor Objectivity (1003) - What safeguards can be implemented to reduce threats to objectivity?

A

Examples of safeguards that can be considered by practitioners in response to identified threats are:

 Internal procedures within the enterprise and audit function that ensure objective choices in assigning engagements, (e.g., the practitioner does not audit an area over which the practitioner previously had direct management responsibilities)

 Assigning management and staff from outside the audit function, such as borrowing staff from another function, division or external organization to supplement practitioners

 Periodic rotation in IT audit assignments, reducing the practitioner’s familiarity with people in the assigned areas

 Adequate hiring practices, such as background screening and vetting, to improve the likelihood that practitioners are free from bias or conflicts of interest (i.e., competing professional or personal interests)

 Removing an individual from an engagement should that individual’s interests or relationships pose a threat to objectivity

 Appropriate documentation and reporting requirements, ensuring that assessment of professional independence is documented in the work papers and consistently reported in deliverables

 Assigning an independent resource—from within the audit function or other sources referenced previously—to carry out a peer review or to act as an independent observer during planning, fieldwork and reporting

 Having an external review of the reports, communications or information produced by practitioners by a recognized third party, e.g., accepted authority in the field or independent specialist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Guidelines: Auditor Objectivity (1003) - What are non-audit services?

What are examples of non-audit services/roles/activities that auditors may be involved in?

Study These Flashcards
A

Non-audit services are advisory or consultative services/capabilities.

Auditors may be involved in non-audit services or roles, such as:

 Advising on IT strategies relating to areas such as technology, applications and resources
 Evaluating, selecting and implementing technologies
 Evaluating, selecting, customizing and implementing third-party IT applications and solutions
 Designing, developing and implementing custom-built IT applications and solutions
 Establishing good practices, policies and procedures relating to various IT functions
 Designing, developing, testing and implementing IT security and IT controls
 Advising on IT projects

Auditors may be involved in non-audit activities, such as:

 Full-time temporary assignment or loan of audit staff to an IT project team
 Part-time assignment of an auditor as a member of an IT project, such as the project steering group, project working group, evaluation team, negotiation and contracting team, implementation team, quality assurance team or troubleshooting team
 Acting as an advisor or reviewer of IT projects or IT controls on an ad hoc basis

18
Q

Guidelines: Auditor Objectivity (1003) - What should an auditor do after providing non-audit services when determining if their objectivity/independence was impaired?

Study These Flashcards
A

Practitioners providing nonaudit services or roles should use the conceptual framework to evaluate whether the nonaudit services or roles generate an impairment of objectivity or
independence for current or future audit or assurance engagements.

This applies to engagements in which the nonaudit services or roles are performed in an area that is **significant or material to the subject matter or stakeholders** of those engagements.

If necessary, practitioners should seek guidance from IT audit and assurance colleagues and management, and/or those charged with governance, to determine whether safeguards can be implemented to adequately mitigate any actual or perceived threats to objectivity.

19
Q

Guidelines: Auditor Objectivity (1003) - What should audit management do when a potential for objectivity/independence impairment is is identified?

Study These Flashcards
A

In the case of an IT audit or assurance engagement in which there is potential for impaired objectivity or independence in attitude or appearance due to nonaudit services or roles performed, IT audit and assurance management should implement safeguards such as:

 Monitoring the conduct of the audit closely

 Evaluating any significant indications of impairment of objectivity or independence arising out of nonaudit services or roles performed, and initiating necessary safeguards

 Informing those charged with governance of the potential impairment of objectivity or independence and the safeguards implemented

20
Q

Guidelines: Auditor Objectivity (1003) - What are non-audit services or roles that DO NOT impair an auditor’s independence/objectivity?

Study These Flashcards
A
  • Routine and administrative activities / activities involving matters that are insignificant = generally, these are deemed to not be “management responsibilities” and do not impair objectivity.
  • Providing routine advice on IT risk and controls
  • To avoid assuming a management responsibility when providing non-audit services, an auditor should only provide these services if the actual management will perform functions such as (1) overseeing services performed, (2) evaluating the results of services performed, and (3) accepting responsibility for the results of services performed).
21
Q

Guidelines: Auditor Objectivity (1003) - What are non-audit services or roles that DO impair an auditor’s independence/objectivity?

Study These Flashcards
A

These activities could become so significant that no safeguards could reduce the impairment to an acceptable level:

  • Assuming management responsibilities
  • Performing management activities

Management responsibilities typically include:

  • Setting policies and strategic direction
  • Directing/taking responsibility for the actions of the entity’s employees
  • Authorizing transactions
  • Deciding recommendations of the audit function/third parties/etc. to implement
  • Taking responsibility for designing, implementing, or maintaining internal control
  • Accepting responsibility for the management of an IT project/initiative

In addition to assuming management responsibilities, the following non-audit services may impair objectivity/independence:

  • Material involvement in the supervision or performance of designing/developing/testing/installing/operating information systems that are material or significant to the subject matter of the audit
  • Designing controls or systems that are material or significant to the subject matter of the audit
  • Serving in a governance role where the auditor is independent or jointly responsible for either making management decision or approving policies and standards
  • Providing advice that forms the primary basis of management decision or performing management functions
22
Q

Guidelines: Auditor Objectivity (1003) - What should be included in the audit report when a potential impairment was identified?

Study These Flashcards
A

If the objectivity/independence of auditors performing an IT audit or assurance engagement is, could be, or could appear to be impaired, and if those charged with governance have made the decision to continue the engagement, the IT audit and assurance engagement report should include sufficient information to allow the users of the report to understand the nature of the potential impairment.

Information that should be considered to be disclosed in the report includes:

  • Names/seniority of practitioners involved in the engagement
  • Analysis and description of any potential impairments
  • Safeguards implemented to eliminate or mitigate different threats to independence/objectivity during the course of the engagement and reporting process
  • Disclosure of the potential impairment to those charged with governance, and their approval to continue with the engagement and/or non-audit services
23
Q

Standards: Reasonable Expectation (1004)

Study These Flashcards
A
  1. 1) IT audit and assurance practitioners shall have reasonable expectation that the engagement can be completed in accordance with applicable IT audit and assurance standards and, where required, other industry standards or applicable laws and regulations that will result in a professional opinion or conclusion.
  2. 2) IT audit and assurance practitioners shall have reasonable expectation that the scope of the engagement enables a conclusion on the subject matter and that any scope limitations are addressed.
  3. 3) IT audit and assurance practitioners shall have reasonable expectation that management understands its obligations and responsibilities with respect to providing appropriate, relevant and timely information required to perform the engagement.
24
Q

Guidelines: Reasonable Expectation (1004) - Requirements of the stated audit scope?

What potential impact do scope limitations have?

Study These Flashcards
A
  • Scope should be clearly documented and not too vague (should be no room for interpretation as to which areas - i.e. processes, activities, systems - are in scope for the engagement.

Scope Limitations:

  • Scope limitations may occur before/during an engagement and can be caused by a variety of factors, such as: evidence required to complete the audit are unavailable, key auditees are unavailable, time frame is insufficient to complete the entire scope, the number of appropriately skilled auditors available to perform the current scope is insufficient, remediation of existing nonconformances is still in process, etc.
  • Practitioners should consider whether scope limitations still allow for a reasonable expectation that the audit engagement will result in a professional opinion or conclusion. If yes, the scope limitation should be explicitly stated in the audit report.
25
Guidelines: Reasonable Expectation (1004) - Impact of changes in engagement terms?
- Auditors should not accept a change in terms of the audit engagement if, based on professional judgement, there is no justification for doing so (especially if the change lowers the level of assurance). - Changes in audit engagement terms should be recorded and formally approved by both the auditors and IT audit management. The audit report should mention this change in terms explicitly.
26
Standards: Due Professional Care (1005)
1005.1) In accordance with ISACA’s Code of Professional Ethics, auditors will exercise due diligence and professional care. They will maintain high standards of conduct and character, and they will refrain from engaging in acts that may discredit themselves or the profession. Privacy and confidentiality of information obtained during the course of the auditor’s duties should be maintained. Further, this information should not be used for personal benefit, nor should the information be disclosed unless required by legal authority ISACA Note: "Due Professional Care" implies reasonable care and competence (not infallibility or extraordinary performance).
27
Guidelines: Due Professional Care (1005) - What should auditors do in order to exercise Due Professional Care?
Due Professional Care applies to the exercise of *professional judgement* in the conduct of work performed. It implies that auditors should approach matters requiring *professional judgement* with: - Professional skepticism - Diligence - Integrity - Care In order to exercise Due Professional Care, auditors must: - Consider the possible existence of inefficiencies, misuses, errors, scope limitations, incompetence, conflicts of interest, and fraud. - Be attentive to specific conditions or activities where the issues noted above can occur. - Keep informed of and comply with developments in professional standards (professional competence). - Conduct audit engagements with diligence while adhering to professional standards and statutory and regulatory requirements. - Conduct all audits with the concept of **reasonable assurance** in mind. - Plan the audit engagement completely and in a timely manner, ensuring staff possess necessary skills/knowledge/competencies to perform the audit engagement. - Ensure that management's corrective actions effectively address audit findings. - *****Address their findings to auditees of the audit engagement.***** - Obtain, use, retain, and properly dispose of information in accordance with policies/laws/rules/regulations. - Consider costs of the engagement relative to potential benefits. Due Professional Care extends to every aspect of the audit (including accepting audit assignments and conducting follow-up activities post-completion).
28
Standards: Proficiency (1006)
1006. 1) IT audit and assurance practitioners, collectively with others assisting with the audit and assurance engagement, shall possess the professional competence to perform the work required. 1006. 2) IT audit and assurance practitioners shall possess adequate knowledge of the subject matter to perform their roles in IT audit and assurance engagements. 1006. 3) IT audit and assurance practitioners shall maintain professional competence through appropriate continuing professional education and training.
29
Guidelines: Proficiency (1006) - What is professional competence? What does the auditor do to ensure professional competence is reached for an audit engagement?
Processional Competency: Possession of skills, knowledge, and expertise, through an adequate level of education and experience, to appropriately perform an audit engagement. To ensure professional competency, Audit Management should ensure and confirm availability of competent resources (staff) prior to the commencement of the audit engagement, as well as ensure requirements for skills/knowledge per staff member are commensurate with their levels of responsibility (i.e. Manager vs. Associate). If required skills are not available, should consider alternative means such as subcontracting specific resources/outsourcing a portion of the audit/even delaying the audit engagement/etc, Auditors/Practitioners should do/have the following: - Proficiency in the identification and assessment of risk and controls - Proficiency in the application and use of audit tools and techniques - Knowledge to identify and determine the impact of possible conditions or deviations material to the audit engagement (and to communicate them appropriately) - Ability to recognize possible fraud indicators - Possess a general knowledge of business fundamentals (i.e. economics, accounting, finance, tax, etc.) and information technology knowledge. CPE is a methodology adopted by ISACA to maintain professional competence and update skills and knowledge.
30
Guidelines: Proficiency (1006) - What is ISACA's CPE Requirement for Certification Holders?
- Earn and report an **annual minimum** of 20 CPE hours. - Earn and report a minimum of 120 CPE hours for a 3-year reporting cycle period. - Comply with the annual CPE audit if selected.
31
Standards: Assertions (1007)
1007.1) IT audit and assurance practitioners shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.
32
Guidelines: Assertions (1007) - What are Assertions? What are the common Assertions an auditor may consider?
Assertions are any declarations about whether the subject matter is based on or in conformity with the criteria selected. During an audit, auditors obtain assurance on their achievement and address them in the audit report. Common assertions an auditor should consider include: (1) Confidentiality: Preserving authorized restrictions on access and disclosure, including means for protecting privacy and proprietary information. (2) Completeness: All activities/information/data that should have been recorded are recorded. (3) Accuracy: Amounts/dates/other data related to recorded activities have been recorded appropriately. (4) Integrity: Information/evidence/other data received come from trustworthy and reliable sources and are protected throughout their life cycles (i.e. comparing the hash after a backup is completed with the hash immediately before a backup is restored to check for indications of tampering). (5) Availability: Information/evidence/other data required for the audit engagement exist and are accessible. (6) Compliance: Information/evidence/other data are recorded according to enterprise, regulatory, or other applicable stipulations/requirements (i.e. required fields, according to the stipulations, are present on the change records). (7) Efficiency: Level of performance used allows the lowest number of inputs to create the greatest number of outputs. (8) Effectiveness: The desired output or objective is produced.
33
Guidelines: Assertions (1007) - Who defines the Assertions? What should the auditor do when reviewing the Assertions?
Management is responsible for defining and approving subject matter and related assertions. The auditor, when reviewing management's assertions, should: - Ensure that the assertions are what a knowledgeable reader/user would expect compare to other standards. - Ensure management confirmed their understanding of their responsibility to provide all required information regarding the subject matter and the assertions to the auditors. If they can't fulfill this, the auditor should inform audit management and those charged with governance of the audit function (Board of Directors and/or Audit Committee) - as well as not accept the engagement/determine another course of action based on the associated level of risk. - Review the assertions to ensure they are: (1) Sufficient: Enough to meet the purpose of the audit engagement, which is to express an opinion or conclusion on the subject matter in scope. (2) Valid: Able to be tested, given the subject matter in scope (auditable and able to be supported by corroborating information). (3) Relevant: Directly connected to the subject matter in scope and useful to meeting the purpose of the audit engagement.
34
Guidelines: Assertions (1007) - How does the auditor use Subject Matter Criteria during an audit engagement?
Auditors should assess the subject matter of the engagement against **predetermined criteria*** to express an opinion or conclusion on the subject matter. Auditors should evaluate the criteria to ensure that they **support the relevant assertions**. One criterion can link to multiple assertions; one assertion can be supported by multiple criteria. If the auditor concludes that the criteria do not fully support all relevant assertions, they should recommend changes or additions to the existing criteria. Audit management MUST review and approve/reject new or modified criteria. After assessing that the criteria fully support the relevant assertions, auditors should assess whether the criteria can be subject to **objective and measurable analysis**.
35
Guidelines: Assertions (1007) - How do Assertions developed by 3rd parties impact the audit engagement?
Businesses that outsource operations to 3rd parties will receive reports (i.e. SOC 1s) about the control environment of the outsourced operations. If auditors rely on these reports for the audit engagement, auditors should review each report to determine whether: - The report is issued by a relevant independent professional body - The audit opinion is qualified or unqualified - The scope of control objectives adequately covers the controls required by the business - The period being audited is in line with business expectations - Specific control deficiencies (that did not lead to qualification) are relevant to the business - The Assertions used are in line with the required assertions. Audit management should document the analysis made and conclusions reached. Assertions should be verified and formally approved by management as a part of the engagement that has the outsourced operations in scope.
36
Guidelines: Assertions (1007) - What should the auditor do after forming conclusions based on assessing the subject matter against the assertions/criteria?
After forming a conclusion about each assertion based on the aggregate of findings against criteria (along with professional judgement), practitioners should issue an indirect or direct report on the subject matter:  Indirect report: On the assertions about the subject matter, e.g., on the assertion “completeness,” for a component of the subject matter: “Based on our operating effectiveness testing, in our opinion the IT system changes promoted to production, in all material respects according to the selected criteria, have been completely recorded in the change management tracking application.”  Direct report: On the subject matter itself, e.g., on the entire subject matter: “Based on our testing, in our opinion the IT system changes are following, in all material respects according to the selected criteria, the required change management procedure.”
37
Standards: Criteria (1008)
1008. 1) IT audit and assurance practitioners shall select criteria, against which the subject matter will be assessed, that are **objective, complete, relevant, reliable, measurable, understandable, widely recognized, authoritative and understood by, or available to, all readers and users of the report.** 1008. 2) IT audit and assurance practitioners shall consider the acceptability of the criteria and focus on criteria that are **recognized, authoritative and publicly available.**
38
Guidelines: Criteria (1008) - How should an auditor select criteria?
Auditors must select criteria against which the subject matter will be assessed (assertions) and in accordance with laws and regulations (i.e. international data protection rules). Auditors must refrain from evaluating subject matter on the basis of judgement. BUT professional judgement should be used in ensuring that the use of criteria will enable the development of a fair and objective opinion/conclusion. When selecting the criteria, auditors must consider the (1) suitability, (2) acceptability, and (3) source of the criteria. The use of (1) suitable and (2) acceptable criteria is required to ensure a consistent evaluation of the subject matter. Otherwise, conclusions would be open to misunderstanding/misinterpretation. If criteria are not readily available or are incomplete/subject to interpretation, auditors should include a description of the criteria and any other information necessary to ensure the report is fair, objective, and understandable.
39
Guidelines: Criteria (1008) - "Suitable" criteria include those that are what?
Criteria used for assessing subject matter should be suitable (appropriate). In order for criteria to be suitable, they should be... (1) Objective: Free from bias (i.e. criteria is objective because it was ratified by local law). (2) Complete: Sufficiently complete so that all criteria that could affect the auditor's conclusions are identified and used in the conduct of the engagement. (3) Relevant: Relevant to the subject matter and contributes to findings/conclusions that meet the audit engagement's objectives. (4) Reliable: Should allow reasonably consistent measurement or evaluation of the underlying subject matter and the development of consistent conclusions when applied by different auditors etc. (5) Measurable: Permits consistent measurement of the subject matter and the development of consistent conclusions when applied by different auditors etc. (6) Understandable: Communicated clearly and not subject to significantly different interpretation by intended users (i.e. criteria is understandable because the law/regulation has already been subject to multiple court rulings).
40
Guidelines: Criteria (1008) - "Acceptable" criteria include those that are what?
The acceptability of criteria is affected by the availability of the criteria to the users of the audit report, so they understand the basis of the activity/relevance of the findings and conclusions. Acceptable criteria are those that are.... (1) Recognized: Sufficiently well recognized so that their use is not questioned by intended users. (2) Authoritative: Reflect authoritative pronouncements within the area and are appropriate for subject matter (i.e. from professional bodies/industry groups/regulators/etc.) (3) Publicly Available: Includes standards developed by professional accounting and audit bodies such as ISACA, as well as other government/legal/professional bodies. (4) Available to All Users: Where not publicly available, criteria should be communicated to all users through assertions that form part of the audit report (Assertions can be audited based on their ability to meet the requirements of "suitable criteria"). Auditors should ensure that the criteria used are either (1) externally accepted (recognized, authoritative and publicly available) or (2) externally confirmed (criteria developed by management for specific engagement and as such require external validation by 3rd party to ensure management isn't implicitly compelling a desired outcome).
41
Guidelines: Criteria (1008) - What are possible criteria "Sources"?
Auditors should consider the criteria's source in terms of (1) use and (2) potential audience. Possible criteria sources, listed in order of consideration, include: (1) Criteria established by ISACA (publicly available criteria and standards; peer reviewed) (2) Criteria established by other bodies of experts (also peer reviewed) (3) Criteria established by laws and regulations (BUT ensure care is taken in their use, as wording is often complex/carry specific legal meaning; sometimes expressing an opinion on legislation is restricted) (4) Criteria established by entities that did not follow due process (relevant criteria developed by entities that did not follow due process and thus have not been subject to public consultation/debate/peer review) (5) Criteria developed specifically for the audit engagement (may be appropriate, but auditors should take particular care to ensure they're suitable - especially objective, complete, and measurable. Usually pertains to the needs of a specific user; should be noted in the audit report and provide more information about the criteria, if needed. If management identified, then external confirmation should be sought and mentioned in the report)

ISACA CISA Exam (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions