IS AUDITING STANDARD

S15 IT CONTROLS
The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of ISACA is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance:

Standards define mandatory requirements for IS auditing and reporting. They inform: IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics Management and other interested parties of the professions expectations concerning the work of practitioners Holders of the Certified Information Systems Auditor (CISA ) designation of requirements. Failure to comply with these standards may result in an investigation into the CISA holders conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgement in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards. Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing Procedures is to provide further information on how to comply with the IS Auditing Standards.

Control Objectives for Information and related Technology (COBIT) is an information technology (IT) governance framework and supporting tool set that allows managers to bridge the gaps amongst control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organisations. It emphasises regulatory compliance, helps organisations increase the value attained from IT, enables alignment and simplifies implementation of the COBIT frameworks concepts. COBIT is intended for use by business and IT management as well as IS auditors; therefore, its usage enables the understanding of business objectives and communication of good practices and recommendations to be made around a commonly understood and wellrespected framework. COBIT is available for download on the ISACA web site, www.isaca.org/cobit. As defined in the COBIT framework, each of the following related products and/or elements is organised by IT management process:

Control objectivesGeneric statements of minimum good control in relation to IT processes Management guidelinesGuidance on how to assess and improve IT process performance, using maturity models; Responsible, Accountable, Consulted and/or Informed (RACI) charts; goals; and metrics. They provide a management-oriented framework for continuous and proactive control self-assessment specifically focused on: Performance measurement IT control profiling Awareness Benchmarking COBIT Control PracticesRisk and value statements and how to implement guidance for the control objectives IT Assurance GuideGuidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and substantiate the risk of controls not being met

A glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeably in the IS Auditing Standards, Guidelines and Procedures. Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. ISACA makes no claim that use of this product will assure a successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the controls professional should apply his/her own professional judgement to the specific control circumstances presented by the particular systems or information technology environment. The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to identify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org), faxed (+1.847. 253.1443) or mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards and academic relations. This material was issued 1 December 2007.

S15 IT Controls Introduction 01 ISACA standards contain the basic, mandatory principles and essential procedures, identified in bold type (black lettering), together with related guidance. 02 The purpose of this ISACA standard is to establish standards and provide guidance regarding IT controls. Standard 03 The IS auditor should evaluate and monitor IT controls that are an integral part of the internal control environment of the organisation. 04 The IS auditor should assist management by providing advice regarding the design, implementation, operation and improvement of IT controls. Commentary 05 Management is accountable for the internal control environment of an organisation including IT controls. An internal control environment provides the discipline, framework and structure for the achievement of the primary objective of the system of internal control. 06 COBIT defines control as the policies, procedures, practices and organisational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Also, COBIT defines a control objective as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular process. 07 IT controls are comprised of general IT controls, which include pervasive IT controls, detailed IT controls and application controls, and refer to controls over the acquisition, implementation, delivery and support of IT systems and services. 08 General IT controls are controls that minimise risk to the overall functioning of the organisations IT systems and infrastructure and to a broad set of automated solutions (applications). 09 Application controls are a set of controls embedded within applications. 10 Pervasive IT controls are general IT controls that are designed to manage and monitor the IT environment and, therefore, affect all IT-related activities. They are a subset of general controls, being those general IT controls that focus on the management and monitoring of IT. 11 Detailed IT controls are made up of application controls plus those general IT controls not included in pervasive IT controls. 12 The IS auditor should use an appropriate risk assessment technique or approach in developing the overall IS audit plan and in determining priorities for the effective allocation of IS audit resources to provide assurance regarding the state of IT control processes. Control processes are the policies, procedures and activities that are part of a control environment, designed to ensure that risks are contained within the risk tolerances established by the risk management process. 13 The IS auditor should consider the use of data analysis techniques including the use of continuous assurance, which allows IS auditors to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer when reviewing IT controls. 14 When organisations use third parties, they can become a key component in an organisation's controls and its achievement of related control objectives. The IS auditor should evaluate the role that the third party performs in relation to the IT environment, related controls and IT control objectives. 15 The following ISACA and IT Governance Institute (ITGI) guidance should be referred to for further information regarding IT controls: Guideline G3 Use of Computer-assisted Audit Techniques (CAATs) Guideline G11 Effect of Pervasive IS Controls Guideline G13 Using Risk Assessment in Audit Planning Guideline G15 Planning Guideline G16 Effect of Third Parties on an Organisation's IT Controls Guideline G20 Reporting Guideline G36 Biometric Controls Guideline G38 Access Controls COBIT framework and control objectives

S15 IT Controls Page 2

Operative Date 16 This ISACA standard is effective for IS audits beginning 1 February 2008.
2007-2008 ISACA Standards Board Chair, Ravi Muthukrishnan, CISA, CISM, FCA, ISCA Brad David Chin, CISA, CPA Sergio Fleginsky, CISA Maria Gonzalez, CISA John Ho Chi, CISA, CISM, CBCP, CFE Andrew J. MacLeod, CISA, CIA, FCPA, MACS, PCP John G. Ott, CISA, CPA Jason Thompson, CISA Meera Venkatesh, CISA, CISM, ACS, CISSP, CWA 2007 ISACA. All rights reserved. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Telephone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail: standards@isaca.org Web site: www.isaca.org Capco IT Services India Private Limited, India Google Inc., USA ICI Paints, Uruguay HomeLand Office, Spain Ernst & Young, Singapore Brisbane City Council, Australia AmerisourceBergen, USA KPMG LLP, USA Microsoft Corp., USA

S15 IT Controls Page 3