Introduction—The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association (ISACA) is to advance globally applicable standards to meet this need. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. Objectives—The objectives of the ISACA IS Auditing Standards are to inform:  IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors  Management and other interested parties of the profession’s expectations concerning the work of practitioners The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards. Scope and Authority of IS Auditing Standards—The framework for the IS Auditing Standards provides multiple levels of guidance:  Standards define mandatory requirements for IS auditing and reporting.  Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure.  Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same results. In determining the appropriateness of any specific procedure, group of procedures or test, the IS auditors should apply their own professional judgment to the specific circumstances presented by the particular information systems or technology environment. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The words audit and review are used interchangeably. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.htm. Holders of the Certified Information Systems Auditor (CISA®) designation are to comply with the IS Auditing Standards adopted by ISACA. Failure to comply with these standards may result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. Development of Standards, Guidelines and Procedures—The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The following COBIT resources should be used as a source of best practice guidance:  Control Objectives—High-level and detailed generic statements of minimum good control  Control Practices—Practical rationales and how-to-implement guidance for the control objectives  Audit Guidelines—Guidance for each control area on how to: obtain an understanding, evaluate each control, assess compliance, and substantiate the risk of controls not being met  Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors Each of these is organised by the IT management process, as defined in the COBIT Framework. COBIT is intended for use by businesses and IT management as well as IS auditors. Its usage allows for the understanding of business objectives and for the communication of best practices and recommendations around a commonly understood and well-respected standard reference. The Standards Board has an ongoing development programme, and welcomes the input of ISACA members and other interested parties to help identify emerging issues requiring new standards. Any suggestions should be e-mailed ([email protected]), faxed (+1.847. 253.1443) or mailed (address at the end of this procedure) to ISACA International Headquarters, for the attention of the director of research standards and academic relations. This material was issued on 1 May 2003. Information Systems Audit and Control Association 2002-2003 Standards Board Chair, Claudio Cilli, CISA, CISM, Ph.D., CIA, CISSP KPMG, Italy Claude Carter, CISA, CA Nova Scotia Auditor General’s Office, Canada Sergio Fleginsky, CISA PricewaterhouseCoopers, Uruguay Alonso Hernandez, CISA, ROAC Colegio Economistas, Spain Marcelo Hector Gonzalez, CISA Central Bank of Argentina Republic, Argentina Andrew MacLeod, CISA, FCPA, MACS, PCP, CIA Brisbane City Council, Australia Peter Niblett, CISA, CA, MIIA, FCPA Day Neilson, Australia John G. Ott, CISA, CPA Aetna, Inc., USA Venkatakrishnan Vatsaraman, CISA, ACA, AICWA, CISSP Emirates Airlines, United Arab Emirates IS AUDITING PROCEDURE CONTROL RISK SELF-ASSESSMENT (CRSA) DOCUMENT P5Page 2 IS Auditing Procedure CRSA 1. BACKGROUND 1.1 Linkage to ISACA Standards 1.1.1 Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws ans professional auditing standards.” 1.1.2 Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.” 1.1.3 Standard S7 Reporting states, “The IS auditor should provide a report, in an appropriate form, upon the completion of the audit. The report should identify the organisation, the intended recipients and any restrictions on circulation. The audit report should state the findings, conclusions and recommendations and any reservations, qualifications or limitations in scope that the IS auditor has with respect to the audit. The IS auditor should have sufficient and appropriate audit evidence to support the results reported. When issued, the IS auditor’s report should be signed,