Să începem cu cerinţele obligatorii din S14 Audit Evidence:

“The IS auditor should obtain sufficient and appropriate audit evidence to draw reasonable conclusions on which to base the audit results.
The IS auditor should evaluate the sufficiency of audit evidence obtained during the audit.”

Mai adaug:

“Audit evidence should be objective and sufficient to enable a qualified independent party to reperform the tests and obtain the same results.“

Din G2 Audit Evidence Requirement aflăm că:

“The various types of audit evidence that the IS auditor should consider using include:

• Observed processes and existence of physical items
• Documentary audit evidence
• Representations
• Analysis

….

Representations of those being audited can be audit evidence, such as:

• Written policies and procedures
• System flowcharts
• Written or oral statements”

Trecem acum la ITAF – Section 2400—Performance Standards:

“Representations—The IT audit and assurance professional will receive representations during the course of conducting the IT audit—some written and others oral. As part of the audit process, these representations should be documented and retained in the work-paper file. In addition, for attestation engagements, representations from the auditee should be obtained in writing to reduce possible misunderstandings. Matters that may appear in a representation letter include:

• A statement by the auditee acknowledging responsibility for the subject matter and, when applicable, the assertions
• A statement by the auditee acknowledging responsibility for the criteria, and where applicable, the assertions
• A statement by the auditee acknowledging responsibility for determining that the criteria are appropriate for the purposes
• A list of specific assertions about the subject matter based on the criteria selected
• A statement that all known matters contradicting the assertions have been disclosed to the IT audit and assurance professional
• A statement that all communications from regulators affecting the subject matter or the assertions have been disclosed to the IT audit and assurance professional
• A statement that the IT audit and assurance professional has been provided access to all relevant information and records, files, etc., pertaining to the subject matter
• A statement on any significant events that have occurred subsequent to the date of
  the audit report and prior to release of that report
• Other matters that the IT audit and assurance professional may deem relevant or appropriate”

Două definiţii importante:

“Assertion—Refers to a declaration or set of declarations about the subject matter. Assertions should be based on, or be in conformity with, the criteria selected.

Representation—Refers to a written or oral statement by management and the auditee about the subject matter. It is statement of fact that can be confirmed through audit procedures. A representation may also indicate that the IT audit and assurance professional has been informed of, and given access to, all relevant information, records, files, etc., pertaining to the subject matter.”

“Reprezentarea scrisă” (mai corect cred că ar fi “declaraţia scrisă a managementului”) îmbracă forma unei “scrisori de reprezentare” (aşa este definită şi de CAFR prin traducerea “representation letter” din standardele IFAC) adresată de către auditat, auditorului. Exemplu:

“De la: SC XYZ SA

Către: SC AUDITOR SRL

Data: 15.01.2012

Această scrisoare de reprezentare este furnizată în contextul auditului realizat de dvs asupra securităţii sistemului informatic dezvoltat în cadrul proiectului “Registratura electronică”.

Pe baza informaţiilor noastre, declarăm în cunoştinţă de cauză:

• Ne asumăm responsabilitatea pentru conformitatea cu “Termenii şi Condiţiile” (sau de exemplu OMCSI 389/2007) pentru proiectul “Registratură electronică” (sau. pt. sistemul electroic tip Internet banking denumit …) astfel cum este prevăzut în documentele legale, de reglementare şi contractuale ale Comisiei Europene care se aplică acestui proiect.
• Ne asumăm responsabilitatea pentru crearea şi menţinerea unui sistem de control intern, care prevede că:

• Am obţinut asigurări rezonabile în ceea ce priveşte respectarea “Termenilor si Conditilor” acordului  şi că au fost luate măsurile corespunzătoare de corecţie ori de câte ori o încălcare a acestor termeni şi condiţii a avut loc;
• Există o evidenţă corespunzătoare a fazelor, etapelor şi sarcinilor din cadrul acestui proiect, inclusiv evidenţele contabile, aplicarea legislaţiei precum şi protejarea activelor;
• Sistemul de control intern oferă un grad rezonabil de prevenire şi detectare a fraudelor şi actelor ilegale.
• Nu au existat nereguli în care să fie implicată conducerea organizaţiei sau angajaţii care au un rol important realizarea proiectului sau care ar putea avea un efect semnificativ asupra informaţiilor legate de proiect.
• Confirmăm că nu am fost implicaţi în acţiuni judiciare sau litigii care să aibă legătură cu acest proiect.
• Înţelegem şi acceptăm că abilitatea auditorilor de a efectua testele şi procedurile prevăzute de prezentul angajament de audit depind de asigurarea din partea noastră a accesului total şi liber la informaţiile şi documentaţia proiectului, infrastructura IT şi la intervievarea personalului nostru.
• Toate înregistrările şi documentele justificative şi conexe ale proiectului au fost puse la dispoziţie dvs. pentru a vă atinge scopul acestui audit.  

Semnătură:

Nume şi poziţie:”