IS AUDITING GUIDELINE EFFECT OF NONAUDIT ROLE ON THE IS AUDITOR’S INDEPENDENCE DOCUMENT G17 Introduction The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association, Inc. (ISACA) is to advance globally applicable standards to meet this need. The development and dissemination of IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. Objectives The objectives of the ISACA IS Auditing Standards are to inform:  IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors  Management and other interested parties of the profession’s expectations concerning the work of practitioners The objective of IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards. Scope and Authority of IS Auditing Standards The framework for the ISACA IS Auditing Standards provides for multiple levels of standards, as follows:  Standards define mandatory requirements for IS auditing and reporting.  Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure.  Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same results. In determining the appropriateness of any specific procedure, group of procedures or test, the IS auditor should apply their own professional judgment to the specific circumstances presented by the particular information systems or technology environment. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The words audit and review are used interchangeably. Holders of the Certified Information Systems Auditor (CISA®) designation are to comply with IS Auditing Standards adopted by ISACA. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. Development of Standards, Guidelines and Procedures The ISACA Standards Board is committed to wide consultation in the preparation of IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an ongoing development programme, and would welcome the input of members of the ISACA and holders of the CISA designation and other interested parties to identify emerging issues requiring new standards products. Any suggestions should be e-mailed ([email protected]), faxed (+1.847. 253.1443) or mailed (address provided at the end of this guideline) to ISACA International Headquarters, for the attention of the director of research standards and academic relations. This guideline replaces the previously issued IS Auditing Guideline Effect of Involvement in the Development, Acquisition, Implementation or Maintenance Process on the IS Auditor’s Independence, which will be withdrawn on the date which this guideline becomes effective. This material was issued on 1 April 2002. Information Systems Audit And Control Association 2001-2002 STANDARDS BOARD Chair, Claudio Cilli, CISA, Ph.D. KPMG, Italy Claude Carter, CISA, CA Nova Scotia Auditor General’s Office, Canada Sergio Fleginsky, CISA PricewaterhouseCoopers, Uruguay Alonso Hernandez, CISA, ROAC Colegio Economistas, Spain Marcelo Hector Gonzalez, CISA Central Bank of Argentina Republic, Argentina Andrew MacLeod, CISA, FCPA, MACS, PCP, MIIA Brisbane City Council, Australia Peter Niblett, CISA, CA, MIIA, FCPA Day Neilson, Australia Venkatakrishnan Vatsaraman, CISA, ACA, AICWA, CISSPEmirates Airlines, United Arab Emirates Sander S. Wechsler, CISA, CPA Ernst & Young, USAPage 2 of 4 Effect of Nonaudit Role on the IS Auditor’s Independence Guideline 1. BACKGROUND 1.1 Linkage to Standards 1.1.1 Standard S2 Independence states, “In all matters related to the audit, the IS auditor should be independent of the auditee in both attitude and appearance.” 1.1.2 Standard S2 Independence states, “The IS audit function should be sufficiently independent of the area or activity being reviewed to permit objective completion of the audit assignment.” 1.2 Need For Guideline 1.2.1 In many organisations, the expectation of management, IS staff and internal audit is that IS auditors may be involved in nonaudit roles such as:  Defining IS strategies relating to areas such as technology, applications, and resources  Evaluation, selection and implementation of technologies  Evaluation, selection, customisation and implementation of third-party IS applications and solutions  Design, development and implementation of custom built IS applications and solutions  Establishing best practices, policies and procedures relating to various IS functions  Design, development and implementation of security, and control 1.2.2 The nonaudit role, in general, involves participation in the IS initiatives and IS project teams in working and or advisory/consultative capacities on a full-time or part-time basis. Examples include:  The full-time temporary assignment or loan of IS audit staff to the IS project team  The part-time assignment of the IS audit staff as a member of the various project structures such as project steering group, project working group, evaluation team, negotiation and contracting team, implementation team, quality assurance team and trouble shooting team  Acting as an independent advisor or reviewer on an ad hoc basis 1.2.3 Such nonaudit roles