***信息系统审计标准*

surfman

信息系统审计标准   Standards Review Project
IS Auditing Standards define mandatory requirements for IS auditing and reporting. The ISACA Standards Board has undertaken a project
to add new standards. The IS auditor should consider IS Auditing Guidelines in determining how to achieve implementation of the standards,
use professional judgement in their application and be prepared to justify any departure.

Audit Materiality
Introduction  
01 ISACA standards contain the basic principles and essential procedures identified in bold type, which are mandatory, together with
related guidance.
02 The purpose of this IS auditing standard is to establish and provide guidance on the concept of audit materiality and its relationship with
audit risk.

Standard
03 The IS auditor should consider audit materiality and its relationship to audit risk while determining the nature, timing and
extent of audit procedures.
04 While planning for audit, the IS auditor should consider possible weakness or absence of controls and whether such
weakness or absence of control can become a significant deficiency or a material weakness.  
05 The IS auditor should consider materiality in evaluating the system and controls.
06 The IS auditor should consider the cumulative effect of control deficiencies, weaknesses and absence of controls to
become a significant deficiency or material weakness.
07 The IS auditor should include in his/her reports ineffective or absence of controls and the significance of the control
deficiencies and possibility of these weaknesses resulting in a significant deficiency or material weakness.  

Additional Guidance
08 Weakness in control is “material” if the fact or the potential effect could influence the decisions of the users of the IS system.
Materiality depends upon various characteristics such as size, circumstances, location, culture, political climate, type of users,
errors, omissions, irregularities and illegal acts. Materiality also provides a threshold or cutoff point rather than being a primary
qualitative characteristic of the control if it is to be useful.
09 There is an inverse relationship between materiality and level of audit risk, i.e., the higher the materiality level, the lower the audit
risk, and vice versa.
10 The definitions of significant deficiency and material weakness also contain aggregation concepts: a control deficiency, or
combination of control deficiencies, can represent a significant deficiency or material weakness.
11 The IS auditor should evaluate all deficiencies affecting the control environment in the aggregate.
12 The IS auditor should consider the combined effect of the ineffective IT general control and the ineffective application control(s) to
classify as either a significant deficiency or material weakness for the application control and the related IT general control. IT
control deficiencies should also be evaluated when aggregated with other control deficiencies.
13 The IS auditor’s assessment of materiality and audit risk may vary from time to time, depending upon the circumstances and the
changing environment.
14 The IS auditor should refer to IS Auditing Guideline G6 Materiality Concepts for Auditing Information Systems.
15 Please refer to the following guidance for further information on audit materiality:
! IS Auditing Guidelines:
– G2 Audit Evidence Requirement
– G5 Audit Charter
– G8 Audit Documentation
– G9 Audit Considerations for Irregularities
– G13 Use of Risk Assessment in Audit Planning
! COBIT Management Guidelines
! COBIT Framework, control objectives  
! IT Control Objectives for Sarbanes-Oxley, IT Governance Institute

Operative Date
12 This ISACA standard is effective for all information systems audits beginning on or after date of issue.

surfman

IS AUDITING STANDARD
IRREGULARITIES AND ILLEGAL ACTS
DOCUMENT S9

CurveSoft

万分感谢！！！

surfman

IS AUDITING STANDARD
IT GOVERNANCE

02 The purpose of this ISACA standard is to establish and provide guidance on IT governance areas that the IS auditor needs to consider
during the audit process.

Standard
03 The IS auditor should review and assess whether the IS function aligns with the organisation’s mission, vision, values,
objectives and strategies.
04 The IS auditor should review whether the IS function has a clear statement about the performance expected by the
business (effectiveness and efficiency) and assess its achievement.
05 The IS auditor should review and assess the effectiveness of IS resource and performance management processes.
06 The IS auditor should review and assess compliance with legal, environmental and information quality, and fiduciary and
security requirements.
07 A risk-based approach should be used by the IS auditor to evaluate the IS function.
08 The IS auditor should review and assess the control environment of the organisation.
09 The IS auditor should review and assess the risks that may adversely effect the IS environment.

Additional Guidance
10 The IS auditor should refer to IS Auditing Guideline G18, IT Governance.
11 The IS auditor should review and assess the risks of the IS working environment that support business processes. The IS audit
activity should assist the organisation by identifying and evaluating significant exposures to risk and contributing to the
improvement of risk management and control systems.
12 IT governance can be reviewed by itself or considered in every review carried out of the IS function.
13 The IS auditor should refer to the following guidance for further information on IT governance:
! IS Auditing Guidelines:
– G5 Audit Charter
– G6 Materiality Concepts for Auditing Information Systems
– G12 Organisational Relationship and Independence
– G13 Use of Risk Assessment in Audit Planning
– G15 Planning
– G16 Effect of Third Parties on an Organisation’s IT Controls
– G17 Effect of a Nonaudit Role on the IS Auditor’s Independence
! COBIT Management Guidelines
! COBIT Framework, Control Objectives; this standard relates to all control objectives in all COBIT domains.
! Board Briefing on IT Governance, 2nd Edition, IT Governance Institute
! IT Control Objectives for Sarbanes-Oxley, IT Governance Institute
! US Sarbanes-Oxley Act of 2002 and other specific regulations could be also applicable.
Operative Date
14  This ISACA standard is effective for all information systems audits 1 September 2005

surfman

USE OF RISK ASSESSMENT IN AUDIT PLANNING


Standard
03 The IS auditor should use an appropriate risk assessment technique or approach in developing the
overall IS audit plan and in determining priorities for the effective allocation of IS audit resources.
04 When planning individual reviews, the IS auditor should identify and assess risks relevant to the
area under review.

surfman

审计指南  

1. BACKGROUND
1.1 Linkage to Standards
1.1.1 Standard S6 Performance of Audit Work states “During the course
of the audit, the IS auditor should obtain sufficient, reliable and relevant
evidence to achieve the audit objectives. The audit findings and
conclusions are to be supported by appropriate analysis and interpretation
of this evidence.”
1.2 Need for Guideline
1.2.1 The interdependency of customers’ and suppliers’ processing
and the outsourcing of non-core activities mean that an IS auditor
(internal or external) will often find that parts of the environment being audited are controlled and audited by other independent functions or
organisations. This guideline sets out how the IS auditor should comply with the above standard in these circumstances. Compliance with this
guideline is not mandatory, but the IS auditor should be prepared to justify
deviation from it.
2. AUDIT CHARTER
2.1 Rights of Access to the Work of Other Auditors or Experts
2.1.1 The IS auditor should ensure that, where the work of other auditors
or experts is relevant to the IS audit objectives, the audit charter or engagement letter specifies the IS auditor’s right of access to this work.
3. PLANNING
3.1 Planning Considerations
3.1.1 When an IS audit involves using the work of other auditors or
experts, the IS auditor should consider their activities and their effect on the IS audit objectives while planning the IS audit work. The planning process should include
■ Assessing the independence and objectivity of the other auditors or
experts
■ Assessing their professional competence
■ Obtaining an understanding of their scope of work and approach
■ Determining the level of review required
3.2 Independence and Objectivity
3.2.1 The processes for selection and appointment, the organisational
status, the reporting line and the effect of their recommendations on
management practices are indicators of the independence and objectivity of other auditors and experts.
3.3 Professional Competence
3.3.1 The qualifications, experience and resources of other auditors and
experts should all be taken into account in assessing professional
competence.
3.4 Scope of Work and Approach
3.4.1 Scope of work and approach ordinarily will be evidenced by the
other auditor’s or expert’s written audit charter, terms of reference or letter of engagement.
3.5 Level of Review Required
3.5.1 The nature, timing and extent of audit evidence required will depend
upon the significance of the other IS auditor’s or expert’s work. The IS
auditor’s planning process should identify the level of review which is
required to provide sufficient reliable, relevant and useful audit evidence to
achieve the overall IS audit objectives effectively. The IS auditor should
consider reviewing the other auditor’s or expert’s final report, audit
programme(s) and audit workpapers. The IS auditor should also consider
whether supplemental testing of the other auditor’s or expert’s work is
required.
4. PERFORMANCE OF AUDIT WORK
4.1 Review of Other Auditor’s or Expert’s Workpapers
4.1.1 Where a review of the other auditor’s or expert’s workpapers is
necessary, the IS auditor should perform sufficient audit work to
confirm that the other auditor’s or expert’s work was appropriately
planned, supervised, documented and reviewed and to consider the
appropriateness and sufficiency of the audit evidence provided by them.
Compliance with relevant professional standards should also be assessed.
4.2 Review of Other Auditor’s or Expert’s Report(s)
4.2.1 The IS auditor should perform sufficient reviews of the other auditor’s or expert’s final report(s) to confirm that the scope specified in the audit charter, terms of reference or letter of engagement has been met, that any significant assumptions used by the other auditors or experts have been identified and that the findings and conclusions reported have been agreed by management.
4.2.2 It may be appropriate for management to provide their own
report on the audited entities, in recognition of their primary
responsibility for systems of internal control. In this case the IS auditor
should consider the management’s and auditor’s report together.
4.2.3 The IS auditor should assess the usefulness and appropriateness of
reports issued by the other auditors and experts, and should consider any
significant findings reported by the other auditors or experts. It is the IS
auditor’s responsibility to assess the effect of the other auditor’s or expert’s findings and conclusions on the overall audit objective, and to verify that any additional work required to meet the overall audit objective is completed.
5. FOLLOW-UP ACTIVITIES
5.1 Implementation of Recommendations
5.1.1 Where appropriate, the IS auditor should consider the extent to
which management has implemented any recommendations of the other auditor or expert.
6. EFFECTIVE DATE
6. 6.1 This guideline is effective for all information systems audits beginning on or after 1 June 1998.

waveking2000

谢谢楼主，有一个问题：
这些文件有目录么？中文是您自己翻译的么？还有像33楼以及Standards Review Project 这种是不是你没有把pdf文件传上来？

JIXINRAN2000

目前信息审计在哪个国家最热门，中国现在有这样的公司吗？

surfman

信息系统审计在中国最多算刚起步, 相信还有很多路要走。

这中间包括法律和意识方面的许多问题， 但在金融行业（比如中行 建行海外上市）已经开始有所注意，这个行业的进一步发展需要我们大家的共同努力，推动。。。。。

在美国信息系统审计比较受重视，英国则倾向BS7799体系。香港这个行业也逐渐开始热起来了。。。。也许将来会要求这个行业持证上岗的。

surfman

目前IT审计主要由会计师事务所来做， 比如四大。。。。但仍然没有引起足够重视。。