The main international standards and best practices for auditing information technology

In the 60s of the last century, the beginning of the introduction of information systems for accounting in the commercial sector, led to the emergence of a new profession in the field of IT - an IT auditor. Soon, the first professional IT auditors' association, the Electronic Data Processing Auditors Association, was created, the purpose of which was to develop standards and best practices for IT auditing.

Since then, the importance of the IT auditor profession has increased significantly. Today, an audit of IT controls is an indispensable part of every independent financial audit, IT audit services are in demand in the market, and large corporations have their own IT audit divisions that periodically monitor IT processes and help them improve. At the same time, following established standards and best practices is a prerequisite for conducting an audit in the most optimal way and high quality.
')
The purpose of this article is to present the main current standards and guidelines in the field of IT auditing, which are used during various types of information technology audits. The article focuses more on professionals starting their careers in the field of IT auditing and information security. Also, the article may be interesting to financial / internal auditors who want to get acquainted with the existing standards of IT audit.

The article discusses the standards and guidelines developed by international organizations ISACA , the Institute of Internal Auditors (IIA) , ISO / IEC , IAASB (the International Auditing Standards Board) , PCAOB , etc. For each of the standards, a brief description of their structure and characteristics is given. of use.

1. "IT Audit Framework 2nd Edition" (ITAF) - an international standard for IT audit from the organization ISACA

The current edition was released in July 2013. The target audience of the standard is IT audit specialists. The standard is intended for use in conducting formalized audits of information systems and IT infrastructure.

The standard defines:
• key terms and concepts specific to IT auditing professionals;
• minimum requirements for the skills and knowledge of specialists performing audit checks of information systems;
• the main stages of the audit of information systems and the preparation of the audit report;
• a list of standard supporting manuals, work programs and tools for auditing information systems.

ITAF was developed as a standard that can be used both for conducting separate audits of information systems and for auditing information systems as part of financial and operational audits.

The ITAF standard consists of three parts:

1. General standards - includes guidelines for professionals in the field of auditing information systems: respect for independence, objectivity and professional ethics, maintaining knowledge, competencies and skills.
2. Standards for auditing - includes the practice of planning and monitoring audits, determining the scope of work within the framework of audits, managing risks and material limits, mobilizing resources, managing a project, collecting and storing audit evidence, and using expert assessment methods.
3. Reporting standards - includes a description of types of reports, reporting tools and types of information presented.
For each of the parts of the standard, the ISACA Association has developed guidelines, work programs and instructions supporting the implementation of the described audit procedures. Manuals, work programs and instructions are available on the official website of the association .

At the time of this writing, the ITAF standard is the most comprehensive source for IT auditing professionals, describing all the steps involved in auditing IT systems and IT processes.

2. “Cobit 5 for Assurance” - audit guidance in accordance with COBIT v.5

The current version of the manual was released by ISACA in July 2013. The manual is intended for use by IT audit, IT risk and IT management experts when conducting audits of information systems in accordance with COBIT 5 best practices. The previous version of the collection of best practices COBIT (v. 4.1) was released in 2007 and currently continues to be widely used in a professional environment ¹ .

Cobit 5 for Assurance:

• contains detailed guidance on the use of COBIT 5 for organizing and maintaining the internal IT audit function in companies;
• contains a structured approach to conducting an IT audit in accordance with the processes and factors (* enablers) described in COBIT 5;
• Shows specific examples of using COBIT 5 in an IT audit.
Compared to ITAF, Cobit 5 for Assurance has a lower degree of formalization of audit procedures and a wider coverage of the organization of IT processes in accordance with best practices.

3. “International Professional Practices Framework (IPPF) for Internal Auditing Standards”

International Standard for Internal Audit from the Institute of Internal Auditors (IIA). The current edition was released in 2013. The target audience for the standard is internal audit staff.

The purpose of the standard is to define:

• basic principles of internal audit;
• a standard set of internal audit practices;
• baseline indicators for evaluating the effectiveness of internal audit procedures.

Despite the fact that the standard was not developed as an IT audit standard, it defines universal principles and approaches that can be used both in conducting internal financial and operational audits and in conducting internal audit of information technologies.

For methodological support of the standard in terms of IT auditing, the IIA Association has developed detailed guidelines for IT risk assessment (Guide to the Assessment of IT Risk) and information technology audit (Global Technology Audit Guide).

The Guide to the Assessment of IT Risk (GAIT) describes the relationship between business risks, key controls embedded in business processes, automated controls, critical IT functions, and IT General Controls ² .

The GAIT manual includes the following publications:
1) GAIT Methodology (The GAIT Methodology) - describes a risk-oriented approach to the definition and assessment of General IT controls as part of the assessment of the management of the internal control system necessary for compliance with Section 404 of the Sarbanes-Oxley Act.
2) GAIT for Assessment of General IT Controls Defects (GAIT for IT General Control Deficiency Assessment) - describes the approach to determining the criticality and materiality of General IT Controls deficiencies identified in the framework of the conformity assessment of Article 404 of the Sarbanes-Oxley Act.
3) GAIT for assessing business and IT risks (GAIT for Business and IT Risk) - describes the steps to identify key IT controls that are critical to achieving the business goals and objectives of an organization.

The Information Technology Technology Audit Global Technology Audit Guide (GATG) consists of 15 publications describing the processes, procedures and techniques used in conducting information systems audits:
1. IT Risks and Controls (Information Technology Risk and Controls)
2. Controls in the process of making changes and updates of IT systems (Change and Patch Management Controls)
3. Continuous Auditing Process
4. Management of IT audit processes (Management of IT Auditing)
5. IT Outsourcing (Information Technology Outsourcing)
6. Audit of automated controls (Auditing Application Controls)
7. Identity and Access Management
8. Business Continuity Management
9. Developing an IT Audit Plan
10. Audit IT projects (Auditing IT Projects)
11. Detection and prevention of fraud associated with the use of IT technologies (Fraud Prevention and Detection in an Automated World)
12. Audit of user-developed applications
13. Information Security Governance
14. Information Analysis Technologies (Data Analysis Technologies)
15. Audit of IT function management (Auditing IT Governance)

The detail and business orientation of these standards are its strengths. However, since the standard and supporting manuals were developed for use by professionals without a deep IT background, the terminology used does not always accurately describe the technical aspects of IT auditing. Also, some manuals have not been updated for several years.

4. International Standards “ISAE No. 3402 "and" SSAE No. sixteen"

"ISAE No. 3402 ”is an international standard for auditing service organizations, developed by the international organization IAASB (the International Auditing and Assurance Standards Board), which is part of the International Federation of Accountants (IFAC, International Federation of Accountants).

Standard "SSAE No. 16 ”(formerly known as SAS 70), released by the American Institute of Certified Public Accountants (AICPA) and is adapted by the American version of the international standard“ ISAE No.3402 ”.

The purpose of the standard "ISAE No. 3402 ”is the provision of a unified approach to assessing the effectiveness of the internal control system of service organizations, in terms of preparing reliable financial statements. According to the standard, verification of the effectiveness of IT controls is necessary during the assessment.

In accordance with the standard "ISAE No. 3402 ”, authorized audit organizations may issue formalized audit reports on the effectiveness of the internal control system. These findings can be provided to third parties without the need for a re-audit.

To obtain a sufficient level of confidence / trust in the system of internal control of the service organization:

1) The service organization must clearly describe the structure of its own internal control system for the period being audited, including the IT aspect.
2) Controls related to control objectives in the description of the organization’s internal control system should be modeled (planned) sufficiently to adequately cover risks (financial, operational, IT, etc.).
3) Controls are included in the scope of the audit, must be carried out effectively, to ensure a sufficient level of confidence that the control objectives identified in the description of the organization’s internal control system were achieved during the audited period.
Audit checks for compliance with this standard are fairly common in the United States and Europe, yet in Russia they are still not widespread.

5. PCAOB Auditing Standard No. 5 “An Audit of Financial Statements That Is Integrated With An Audit Of Financial Statements”

The current edition of the standard was developed and released by The Public Company Accounting Oversight Board (PCAOB) in 2007.

The Public Company Accounting Oversight Board (PCAOB) was established by Sarbanes-Oxley in 2002 as a non-profit organization to monitor audits of companies listed on American exchanges in order to protect the interests of investors when preparing an independent audit report. With the creation of the PCAOB, the Sarbanes-Oxley Act for the first time in history obliged private audit firms to undergo independent oversight. Prior to this, the profession of auditors in the United States was self-regulating.

PCAOB No. Audit Standard 5 “An Audit of Financial Statements” is defined by the requirements for the inclusion of audits of IT processes and IT systems in the scope of mandatory audit procedures when conducting an external financial audit.

According to the standard, when conducting audits of controls related to the preparation of financial statements, the auditor should gain an understanding of how information systems and technologies used have an impact on the process of forming financial statements. The auditor must also understand which controls are performed manually, and which are implemented at the level of information systems - automated controls, including how general IT controls are performed, which are important for the effective operation of automated controls. This information should be taken into account when assessing the risks of distortion of financial information processed in information systems.

6. “ISO / IEC 27007: Guidelines for information security management systems auditing” and “ISO / IEC TR 27008: Guidelines for auditors on information security management systems controls”

Standards published by the international organization ISO / IEC in 2011.
The target audience for the standards are specialists in the field of information security and IT auditing who plan to conduct compliance audits for compliance with the requirements of ISO27001 and ISO27002 standards.
The purpose of the standards is to assess whether the organization / unit being audited meets the requirements set out in ISO / IEC 27001 and ISO / IEC 27002.
Standards include a description of the following aspects of the audit:
1. Audit management (determining the scope of the audit, building a team of auditors, managing audit risks, storing audit evidence, improving the audit process).
2. Directly conducting an audit (planning, conducting, key activities, including sampling and analysis, reporting, and subsequent follow-up).
3. Management of a team of auditors (maintaining competencies and skills, assessment of team members).
The disadvantage of these standards is the lack of risk assessment and the subsequent prioritization of controls when planning and conducting an audit. However, the standards are convenient when preparing for compliance-audit for compliance with ISO / IEC 27001 and ISO / IEC 27002 standards.

Other standards and guidelines that can be used in conducting an IT audit

In some cases, when conducting IT audits, international standards and best practices that are not direct auditing standards can be used, however, they are convenient for assessing the level of maturity and efficiency of IT processes.
An example of such standards:
1. ISO 20000 - the international standard for the management and maintenance of IT services.
2. ITIL (IT Infrastructure Library) is a library that describes the best practices used in practice for organizing the work of departments or companies engaged in the provision of IT services.
3. PCI DSS is a data security standard for the payment card industry, established by international payment systems Visa, MasterCard, American Express, JCB and Discover.
4. NIST 800xx Information Security Publications.
5. ISF Standards of Good Practice for Information Security is a business-oriented, practical information security risk management guide from the international organization Information Security Forum (ISF).

---

_{(one) The article does not consider Cobit 4.1, since it is outdated from the ISACA point of view.
(2) Shared IT controls - common control measures included in IT processes and services, such as developing systems, making changes, ensuring security, etc. The goal of common IT controls is to ensure reliable application development and implementation, ensuring the integrity and security of applications and information, as well as automated operations.}