IS Standards, Guidelines and Procedures for Auditing and

1 IS Standards, Guidelines and Procedures for Auditing and Control Professionals Code of Professional Ethics IS Auditing Standards, Guidelines and Procedures IS Control Professionals Standards Current as of 15 January 2009. ISACA. 2008-2009 BOARD OF DIRECTORS. Lynn Lawton, CISA, FBCS, FCA, FIIA KPMG LLP, UK, International President George Ataya, CISA, CISM, CGEIT, CISSP ICT Control SA, Belgium, Vice President Howard Nicholson, CISA, CGEIT City of Salisbury, Australia, Vice President Jose Angel Pena Ibarra, CGEIT Consultoria en Comunicaciones e Info., SA & CV, Mexico, Vice President Robert E. Stroud CA Inc., USA, Vice President Kenneth L. Vander Wal, CISA, CPA Ernst & Young LLP (retired), USA, Vice President Frank Yam, CISA, FHKCS, FHKloD Focus Strategic Group Inc.

2 , Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA Ernst & Young, USA, Past International President Everett C. Johnson Jr., CPA Deloitte & Touche LLP (retired), USA, Past International President Gregory T. Grocholski, CISA The Dow Chemical Company, USA, Director Tony Hayes Queensland Government, Australia, Director Jo Stewart-Rattray, CISA, CISM, CSEPS RSM Bird Cameron, Australia, Director 2008-2009 STANDARDS BOARD. Ravi Muthukrishnan, CISA, CISM, FCA, ISCA Capco IT Services India Private Ltd, India, Chair Shawn Chaput, CISA, CISM, CISSP PMP, Canada Maria Gonzalez, CISA, CISM Homeland Office, Spain John Ho Chi, CISA, CISM, CBCP, CFE Ernst & Young, Singapore Andrew MacLeod, CISA, FCPA, MACS, PCP Brisbane City Council, Australia John G.

3 Ott, CISA, CPA AmerisourceBergen, USA. Edgard Pelcher, CISA Office of the Auditor General of South Africa, South Africa Jason Thompson, CISA, CIA, CISSP KPMG LLP, USA. Meera Venkatesh, CISA, CISM, ACS, CISSP Microsoft Corporation, USA. IS Auditing Standards Disclaimer ISACA has designed this guidance as of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of all proper information, Procedures and tests or exclusive of other information, Procedures and tests that are reasonably directed to obtaining the same results.

4 In determining the propriety of any specific information, procedure or test, the security and control professional should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment. IS Auditing Standards Disclosure and Copyright Notice 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written authorisation of ISACA. Reproduction of all or portions of this publication is solely permitted for academic, internal and non-commercial use, and must include full attribution as follows: " 2009.

5 ISACA. This document is reprinted with the permission of ISACA." No other right or permission is granted with respect to this publication. 3701 Algonquin Road, Suite 1010. Rolling Meadows, IL 60008 USA. Telephone: + Fax: + E-mail: Web site: 2009 ISACA All rights reserved. Page 2. Table of Contents Page Code of Professional Ethics 4. How to Use this Publication 5. IS Auditing Standards Overview 6. Index of IS Auditing Standards, Guidelines and Procedures 7. IS Auditing Standards 9. Alpha List of IS Auditing Guidelines 27. IS Auditing Guidelines 28. IS Auditing Procedures 214. IS Control Professionals Standards 314. History 315. ISACA Standards Document Comment Form 316. 3. Code of Professional Ethics The Information Systems Audit and Control Association , Inc.

6 (ISACA) sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the Association and/or its certification holders. Members and ISACA Certification holder's shall: 1. Support the implementation of, and encourage compliance with, appropriate standards, Procedures and controls for information systems. 2. Perform their duties with due diligence and professional care, in accordance with professional standards and best practices. 3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. 4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority.

7 Such information shall not be used for personal benefit or released to inappropriate parties. 5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence. 6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them. 7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control. Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or certification holder's conduct and, ultimately, in disciplinary measures. 4. How to Use this Publication Relationship of Standards to Guidelines and Procedures IS Auditing Standards are mandatory requirements for certification holders' reports on the audit and its findings.

8 IS. Auditing Guidelines and Procedures are detailed guidance on how to follow those standards. The IS Auditing Guidelines are guidance an IS auditor will normally follow with the understanding that there may be situations where the auditor will not follow that guidance. In this case, it will be the IS auditor's responsibility to justify the way in which the work is done. The procedure examples show the steps performed by an IS auditor and are more informative than IS Auditing Guidelines . The examples are constructed to follow the IS Auditing Standards and the IS Auditing Guidelines and provide information on following the IS Auditing Standards. To some extent, they also establish best practices for Procedures to be followed. Codification Standards are numbered consecutively as they are issued, beginning with S1.

9 Guidelines are numbered consecutively as they are issued, beginning with G1. Procedures are numbered consecutively as they are issued, beginning with P1. Use It is suggested that during the annual audit program, as well as individual reviews throughout the year, the IS auditor should review the standards to ensure compliance with them. The IS auditor may refer to the ISACA standards in the report, stating that the review was conducted in compliance with the laws of the country, applicable audit regulations and ISACA standards. Electronic Copies All ISACA standards, Guidelines and Procedures are posted on the ISACA web site at Glossary A full glossary of terms can be found on the ISACA web site at 5. IS Auditing Standards Overview Issued by ISACA.

10 The specialised nature of information systems (IS) Auditing and the skills necessary to perform such audits require standards that apply specifically to IS Auditing . One of the goals of ISACA is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA. professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance: Standards define mandatory requirements for IS Auditing and reporting. They inform: IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors Management and other interested parties of the profession's expectations concerning the work of practitioners Holders of the Certified Information Systems Auditor (CISA ) designation of requirements.