IS AUDITING GUIDELINE G7 DUE PROFESSIONAL CARE The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of ISACA® is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance: • Standards define mandatory requirements for IS auditing and reporting. They inform: – IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics – Management and other interested parties of the profession’s expectations concerning the work of practitioners – Holders of the Certified Information Systems Auditor™ (CISA®) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. • Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgement in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards. • Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards. Control Objectives for Information and related Technology (COBIT®) is an information technology (IT) governance framework and supporting tool set that allows managers to bridge the gaps amongst control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organisations. It emphasises regulatory compliance, helps organisations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework’s concepts. COBIT is intended for use by business and IT management as well as IS auditors; therefore, its usage enables the understanding of business objectives and communication of good practices and recommendations to be made around a commonly understood and well-respected framework. COBIT is available for download on the ISACA web site, www.isaca.org/cobit. As defined in the COBIT framework, each of the following related products and/or elements is organised by IT management process: • Control objectives—Generic statements of minimum good control in relation to IT processes • Management guidelines—Guidance on how to assess and improve IT process performance, using maturity models; Responsible, Accountable, Consulted and/or Informed (RACI) charts; goals; and metrics. They provide a management-oriented framework for continuous and proactive control self-assessment specifically focused on: – Performance measurement – IT control profiling – Awareness – Benchmarking • COBIT Control Practices—Risk and value statements and ‘how to implement’ guidance for the control objectives • IT Assurance Guide—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and substantiate the risk of controls not being met A glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeably in the IS Auditing Standards, Guidelines and Procedures. Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of all proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his/her own professional judgement to the specific control circumstances presented by the particular systems or IT environment. The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to identify emerging issues requiring new standards. Any suggestions should be e-mailed ([email protected]), faxed (+1.847. 253.1443) or mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research, standards and academic relations. This material was issued on 17 January 2008.G7 Due Professional Care ©1999, 2008 ISACA. All rights reserved. Page 2 1. BACKGROUND 1.1 Linkage to Standards 1.1.1 Standard S3 Professional Ethics and Standards, states ‘The IS auditor should adhere to the ISACA Code of Professional Ethics in conducting audit assignments’. 1.1.2 Standard S3 Professional Ethics and Standards, states ‘The IS auditor should exercise due professional care, including observance of applicable professional auditing standards’. 1.1.3 Standard S2 Independence, states ‘In all matters related to the audit, the IS auditor should be independent of the auditee in both attitude and appearance’. 1.1.4 Standard S4 Professional Competence, states ‘The IS auditor should be professionally competent, having the skills and knowledge to conduct the audit assignment, and he/she should maintain professional competence through appropriate continuing professional education and training’. 1.1.5 The IS auditor