“Art. 6. – (1) Entitățile prevăzute la art.3 alin.(1) lit. c) au obligația de a audita sistemul informatic utilizat. Sistemul informatic al entității va fi auditat de un auditor IT. ”

…..

“(2) Raportul prevăzut la alin.(1) va fi întocmit în conformitate cu standardele ISACA-S2 şi S7 sau cu standardul ISAE 3000 şi ghidul ISACA-G20 pentru verificări de tip audit.”

I N S T R U C Ţ I U N E A Nr.2/2011 privind auditarea sistemelor informatice utilizate de entităţile autorizate, reglementate şi supravegheate de Comisia Naţională a Valorilor Mobiliare

Standardul ISACA S2 impune:

“03 Professional Independence
In all matters related to the audit, the IS auditor should be independent of the auditee in both attitude and appearance.
04 Organisational Independence
The IS audit function should be independent of the area or activity being reviewed to permit objective completion of the audit assignment.”

Standardul ISACA S7 impune:

“03 The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should identify the organisation, the intended recipients and any restrictions on circulation.
04 The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit work performed.
05 The report should state the findings, conclusions and recommendations and any reservations, qualifications or limitations in scope that the IS auditor has with respect to the audit.
06 The IS auditor should have sufficient and appropriate audit evidence to support the results reported.
07 When issued, the IS auditor’s report should be signed, dated and distributed according to the terms of the audit charter or engagement letter.”

Ajungem la standardul ISAE 3000: INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000.
ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION.

Vă rog să recitiţi ce reglementează acest standard: angajamentele tip asigurare ALTELE decît cele de tip audit sau revizie a datelor financiare, istorice!

“ The purpose of this International Standard on Assurance Engagements (ISAE) is to establish basic principles and essential procedures for, and to provide guidance to, professional  accountants (s.m) in public practice (for purposes of this ISAE referred to as “practitioners”) for the performance of assurance engagements other than audits or reviews of historical financial information covered by International Standards on Auditing (ISAs) or International Standards on Review Engagements (ISREs).”

“The practitioner should comply with this ISAE and other relevant ISAEs when performing an assurance engagement other than an audit or review of historical financial information covered by ISAs or ISREs ”

Ce cuprind “historical financial information” aflăm din 2010 Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements – Part I :

“Historical financial information that is derived from financial statements but that contains less detail than the financial statements, while still providing a structured representation consistent with that provided by the financial statements of the entity’s economic resources or obligations at a point in time or the changes therein for a period of time” –

Ce spune ISAE 3000 despre raport (2010 Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements – Part II )?

“Assurance Report Content
49. The assurance report should include the following basic elements:
(a) A title that clearly indicates the report is an independent assurance report”

“Under this Framework, there are two types of assurance engagement a practitioner is permitted to perform: a reasonable assurance engagement and a limited assurance engagement.”

Adică nu este un “raport de audit” ci un “raport de asigurare”. Aici nu este vorba doar de o problemă de formă, de exprimare literară, ci este o problemă de fond: există o diferenţă între o misiune tip audit, una tip revizie şi una tip asigurare! Iar cei cărora se adresează acest standard nu sînt CISA ci profesioniştii contabili! Aceasta nu este concluzia mea ci exact ceea ce spune ISAE : INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS !

 

Cei care se ocupă de asigurări în cazul sistemelor informaţionale au la dispoziţie ITAF: A Professional Practices Framework for IT Assurance :

“When should ITAF be used? The application of the framework is a prerequisite to conducting assurance work. The standards are mandatory. The guidelines, tools and techniques are designed to provide non-mandatory assistance in performing assurance work.”

“‘Assurance’ in the context of this publication means that, pursuant to an accountable relationship between two or more parties, an IT audit and assurance professional is engaged to issue a written communication expressing a conclusion about the subject matters for which the accountable party is responsible. Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance or comfort over the subject matter. For example,assurance engagements could include support for audited financial statements, reviews of controls, compliance with required standards and practices, and compliance with agreements, licenses, legislation and regulations.

‘Audit’, in the context of this publication, refers to a specific type of assurance
engagement in which an IT audit and assurance professional conducts a formal, independent and systematic inspection or examination of subject matter against a recognised and appropriate standard or against management’s assertions that must meet specific criteria. Audit engagements require a formal approach, adherence to specific standards and guidance, and adoption of specific reporting formats. Audit engagements could include support of the audit of financial statements, opinions of regulatory compliance and other formal expressions of opinion. Assurance engagements may be performed with various degrees of rigour to reach a conclusion about the subject matter and thereby provide the reader or user with a level of assurance. The degrees of rigour are commonly referred to as the examination level and the review level (which is less rigorous).
Agreed-on or specified procedures engagements are not considered audits in that they likely lack the completeness of scope to be considered an audit. However, the procedures agreed on by the users of the report are audit procedures and they are applied against the subject matter. The resulting report refers to audit procedures but indicates the work performed does not constitute an audit and that no opinion is provided. Distribution of such reports is restricted.”

În INTERNATIONAL FRAMEWORK FOR ASSURANCE ENGAGEMENTS, de la IFAC (International Federation of Accountants) – emitentul ISAE, se menționează:

“ “Assurance engagement” means an engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria.”

“ Under this Framework, there are two types of assurance engagement a practitioner is permitted to perform: a reasonable assurance engagement and a limited  assurance engagement. The objective of a reasonable assurance engagement is a reduction in assurance engagement risk to an acceptably low level in the circumstances of the engagement6 as the basis for a positive form of expression of the practitioner’s conclusion. The objective of a limited assurance engagement is a reduction in assurance engagement risk to a level that is acceptable in the circumstances of the engagement, but where that risk is greater than for a reasonable assurance engagement, as the basis for a negative form of expression of the practitioner’s conclusion.”

Să spunem și cui se adresează frameworkul de mai sus:

“(a) Professional accountants in public practice (“practitioners”) when performing assurance engagements. Professional accountants in the public sector refer to the Public Sector Perspective at the end of the Framework. Professional accountants who are neither in public
practice nor in the public sector are encouraged to consider the Framework when performing assurance engagements;

(b) Others involved with assurance engagements, including the intended users of an assurance report and the responsible party;

(c) The International Auditing and Assurance Standards Board (IAASB) in its development of ISAs, ISREs and ISAEs.”

Nu ştiu cine îi consiliează pe cei care emit reglementări (indiferent de numele reglementatorului), dar nu îi consiliază bine. Între tipurile de misiuni există diferenţe. Între tipurile de rapoarte există diferenţe. Ca efect şi responsabilităţile asumate şi raţionamentul profesional sînt diferite!

Teoretic, nici un CISA care se prezumă că respectă Codul Etic la care a aderat, nu ar trebui să efectueze o astfel de misiune pînă cînd nu se clarifică toate aspectele ( Mă întreb: dacă un CISA nu este și “professional accountants in public practice”, cum poate respecta ISAE 3000?):

“Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession. “

În concluzie, dacă raportul de audit va fi întocmit în conformitate “cu standardele ISACA-S2 şi S7 sau cu standardul ISAE 3000 şi ghidul ISACA-G20 pentru verificări de tip audit.”, va fi o struţo-cămilă. Pe de o parte G 20 reglementează raportarea în audit, iar pe de altă parte ISAE 3000 reglementează raportarea în misiuni tip “asigurare”.

“The report produced by the IT audit and assurance professional will vary, depending on the type of assignment performed. Considerations include the level of assurance, whether the assurance professional was acting in an audit capacity, whether the assurance professional is providing a direct report on the subject matter or is reporting on assertions regarding the subject matter, and whether that report is based on work performed at the review level or the examination level.” – ITAF pg. 15

 

Update: exemple de rapoarte conform ISAE 3000: EY, PWC, KPMG.