Introduction—The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits requirestandards that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association(ISACA) is toadvance globally applicable standards to meet this need. The development and dissemination of the IS Auditing Standards are acornerstone of the ISACA professional contribution to the audit community.Objectives—The objectives of the ISACA IS Auditing Standards are to inform: IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Codeof Professional Ethics for IS auditors Management and other interested parties of the profession’s expectations concerning the work of practitionersThe objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.Scope and Authority of IS Auditing Standards—The framework for the ISACA IS Auditing Standards provides multiple levels ofguidance:Standards define mandatory requirements for IS auditing and reporting.Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieveimplementation of the standards, use professional judgment in their application and be prepared to justify any departure.Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be consideredinclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the sameresults. In determining the appropriateness of any specific procedure, group of procedures or test, IS auditors should apply their ownprofessional judgment to the specific circumstances presented by the particular information systems or technology environment. Theprocedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements.The words audit and review are used interchangeably. A full glossary of terms can be found on the ISACA web site atwww.isaca.org/glossary.htm.The ISACA Code of Professional Ethics require members of ISACA and holders of the Certified Information Systems Auditor (CISA®)designation to comply with IS Auditing Standards adopted by ISACA. Failure to comply with these standards may result in an investigationinto the member's or CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinaryaction.Development of Standards, Guidelines and Procedures—The ISACA Standards Board is committed to wide consultation in thepreparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposuredrafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topicunder consideration for consultation, where necessary.The following COBITresources should be used as a source of best practice guidance: Control Objectives—High-level and detailed generic statements of minimum good control Control Practices—Practical rationales and how-to-implement guidance for the control objectives Audit Guidelines—Guidance for each control area on how to: obtain an understanding, evaluate each control, assess compliance, andsubstantiate the risk of controls not being met Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics andcritical success factorsEach of these is organised by the IT management process, as defined in the COBIT Framework. COBIT is intended for use by businessesand IT management as well as IS auditors. Its usage allows for the understanding of business objectives and for the communication of bestpractices and recommendations around a commonly understood and well-respected standard reference.The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties tohelp identify emerging issues requiring new standards. Any suggestions should be e-mailed ([email protected]), faxed (+1.847.253.1443) or mailed (address at the end of this guideline) to ISACA International Headquarters, for the attention of the director of researchstandards and academic relations.This material was issued on 1 May 2003.Information Systems Audit and Control Association 2002-2003 Standards BoardChair, Claudio Cilli, CISA, CISM, Ph.D., CIA, CISSP KPMG, ItalyClaude Carter, CISA, CA Nova Scotia Auditor General’s Office, CanadaSergio Fleginsky, CISA PricewaterhouseCoopers, UruguayAlonso Hernandez, CISA, ROAC Colegio Economistas, SpainMarcelo Hector Gonzalez, CISA Central Bank of Argentina Republic, ArgentinaAndrew MacLeod, CISA, FCPA, MACS, PCP, CIA Brisbane City Council, AustraliaPeter Niblett, CISA, CA, MIIA, FCPA Day Neilson, AustraliaJohn G. Ott, CISA, CPA Aetna, Inc., USAVenkatakrishnan Vatsaraman, CISA, ACA, AICWA, CISSP Emirates Airlines, United Arab EmiratesIS AUDITING GUIDELINEENTERPRISE RESOURCE PLANNING (ERP)SYSTEMS REVIEWDOCUMENT G21Page 2 ERP Systems Review Guideline1. BACKGROUND1.1 Linkage to ISACA Standards1.1.1 ISACA IS Auditing Standards, as well as certain of the IS Auditing Guidelines, have direct relevance to the IS auditor’s audit workon ERP systems or ERP system implementation projects.1.1.2 For example, in accordance with Standard S6 Performance of Audit Work, supervision of the performance of ERP related auditwork by subordinate IS or other audit staff for the IS auditor must be subject to sufficient appropriate supervision by the IS auditor.1.1.3 Further, in those circumstances where the IS auditor is requested or required to be involved in nonaudit roles associated with theERP systems or implementation project, in addition to the IS Auditing Standards and Guidelines related to S2 Independence andG12 Organisational Relationships and Independence, the IS auditor should review and appropriately consider the applicability ofthe ISACA Standards for IS Control Professionals.1.1.4 If the IS auditor is to be involved from an audit or a nonaudit role perspective in the business process reengineering (BPR)activities associated with the implementation and use of an ERP system, ISACA’s IS Auditing Guideline G26 Business