For information systems audit and assurance professionals, the revised International Standards for the Professional Practice of Internal Auditing (Standards) that took effect at the start of this year were of interest, because for the first time a standard (Standard 2110: Governance) directly addressed IT governance. Standard 2110.A2 requires the internal audit function to "assess whether the information technology governance of the organization supports the organization's strategies and objectives."
The need for Standard 2110.A2 clearly is highlighted in the executive summary of The IIA's Global Technology Audit Guide (GTAG) 17: Auditing IT Governance, issued in July 2012, which observes that, "with the continued increase in the speed of technological advancement, IT proliferation, and organizational dependence on IT, it is clear why the internal audit activity should address this inherently high-risk area." Auditors can leverage ISACA's revised Information Systems Audit and Assurance Standards to comply with the mandatory requirements of addressing Standard 2110.A2. Released in July, the updated ISACA standards will take effect in November, with revised guidelines for implementing the standards scheduled to be issued for public exposure by year-end. Moreover, COBIT 5, released last year by ISACA, can add value to compliance with the IT governance requirement.
The Revised ISACA Standards
Although the need to revise ISACA's standards stems in part from the fact that information systems are developing rapidly and becoming increasingly pervasive in organizations, it owes more to the necessity of keeping up with changes in audit best practices and the expectations of audit stakeholders. The ISACA standards, like those of The IIA and the International Federation of Accountants (IFAC), are principles-based standards that are reviewed regularly to ensure they remain relevant, credible, and continue to provide value for both audit practitioners and their clients.
In updating ISACA's standards, its standard-setters followed the example of organizations such as The IIA and IFAC's International Auditing and Assurance Standards Board that recently have revised their respective standards to make them clearer and easier to follow. Likewise, ISACA has made its standards more accessible and relevant to information systems auditors and other users, enabling them to better plan, perform, and report on an audit.
Although audit standards issued by different standard-setting bodies are set at a high enough level to have much in common, there are differences, nonetheless. The ISACA standards address specific information system audit and assurance issues that are not necessarily addressed directly by other audit standards. For example, there is an ISACA standard that specifically addresses materiality. The concept of materiality to an information system auditor is controls-based, such as weaknesses in or absences of controls that could result in a significant deficiency, or a material weakness to an information system; for a financial auditor, monetary amounts may be a bigger driver of materiality.
The IIA's Standards define IT governance as "the leadership, organizational structures, and processes that ensure that the enterprise's [IT] supports the organization's strategies and objectives." From this definition, it is apparent how a clear definition of audit materiality of information systems could be useful for auditors. IT processes are subject to controls that need auditing to provide assurance they are well-designed and working in a way that supports the organization's strategies and objectives. GTAG 17 describes some of the key IT governance areas that internal auditors should address, many of which will require well-designed processes and controls:
Roles and responsibilities for chief IT officers (e.g., chief information officer, chief technology officer, and chief information security officer).
Accountability and decision-making.
IT performance monitoring and reporting metrics, including financial management of IT operations and projects.
C-suite understanding of how IT supports and enables the organization to achieve its strategy and objectives.
Alignment between IT and the enterprise.
IT governance risk and controls.
Although following standards is useful to users of audit reports, the implementing guidelines will provide auditors practical guidance that goes into more detail about a particular standard's context. Internal auditors may want to refer to ISACA's audit guidelines when they are auditing information systems or performing reviews aimed at meeting IIA Standard 2110.A2. The guidelines drill deeper into the concepts behind the standards. For example, a sampling guideline will detail how to design, select, and evaluate the results of a sample. Although auditors may understand much of this sampling information, the guidelines will provide examples of compliance control tests in an information systems environment.
Another useful guidance document is COBIT 5, a governance and management framework that can support organizations in creating maximum stakeholder value from information systems. It assists those charged with the governance of an enterprise to define the benefits they want to achieve from the organization's use of information systems against both their resource constraints (e.g., talent and money) and their risk appetite.
For users of other governance frameworks, such as The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control–Integrated Framework, COBIT has become a legitimate alternative tool because it focuses on information systems governance, which is now a fundamental business driver. One of the benefits of using COBIT 5 as a governance framework is that it is aligned with accepted best practice in the information systems field, such as the IT Infrastructure Library and ISO/IEC 27000 standards series, as well as COSO, which added focus on IT governance in its updated version released in May.
By implementing COBIT 5 successfully to govern IT, organizations should be able to meet business objectives such as leveraging IT to its best advantage, protecting data and assets, and complying with applicable regulations.
While COBIT 5 is not specifically linked to ISACA's revised standards, the upcoming implementing guidelines link to relevant COBIT processes and their purposes to assist the auditor. In addition, ISACA has issued specific COBIT 5 for Assurance guidance that follows the structure, context, and vocabulary of the framework to allow auditors who are familiar with COBIT to report in a complementary way. This guide, which aligns with several IT-related assurance standards, including those of The IIA, is useful to auditors in three main ways:
It allows auditors, as well as those charged with the organization's governance, to gain insight into current best practices on assurance. For example, it shows which business structures are required in providing assurance, such as governance bodies, audit committees, and the audit function, itself.
It demonstrates how to use COBIT 5 components and concepts for planning, performing, and reporting on IT audit engagements. Moreover, it provides guidance on the specific COBIT 5 assurance processes, as well as how to gain assurance that its seven governance enablers are being used effectively.
It views the role of audit from a value-added perspective that looks at whether the organization is delivering the required benefits defined by stakeholders against the constraints of resources and risk.
Information systems and other technological advances continue unabated, and this increases the expectations placed on internal auditors. To address the assurance expectations of those charged with governance over organizations, as well as regulators and other stakeholders, auditors need appropriate tools. Although tools such as IIA and ISACA standards and COBIT 5 exist, they must continually be reviewed and updated to remain relevant. Auditors, in turn, must keep abreast of technological advances and gain the often-complex skills and knowledge to ensure they can provide assurance over their organization's IT governance.