În luna iulie scriam că ISACA  a publicat noua versiune ITAF și că, cel puțin în teorie, lucrurile ar trebuie să intre pe un făgaș normal pe piața noastră. “Shall” înseamnă “must” şi prin urmare se cam termină cu “aburerile”. Orice CISA trebuie de acum să facă “dosar de audit” şi să desfăşoare misiunile aşa cum impune ITAF!

Am spus de multe ori: rădăcinile auditului sistemelor informaţionale sînt în auditul financiar (contabil). De acolo s-a desprins în urmă cu peste 40 de ani! Prin urmare, prea multe diferenţe din punct de vedere al principiilor nu sînt. Figura de mai jos sintetizează tipurile de angajamente din domeniul financiar.

(Sursa: http://www.cafr.ro/uploads/Servicii%20conexe-23f0.pdf)

Observăm că lucrurile nu diferă prea mult în cazul auditului SI, aceleaşi lucruri găsindu-le explicate în ITAF. În susţinerea celor afirmate anterior vin noile ghiduri ISACA ce vor intra în vigoare din 2014. Acum sînt publicate spre consultare şi revizuire sub formă de schiţe (din experienţe anterioare, nu vor fi diferenţe majore în versiunile finale).

Cu titlu de exemplu, cîteva din noile clarificări.

• 2003 Professional Independence

Examples of activities that would generally be considered a management responsibility include:
• Setting policies and strategic direction
• Directing and taking responsibility for the actions of the entity’s employees
• Authorising transactions
• Deciding which recommendations of the audit function, internal audit function, organisation, firm or other third parties to implement
• Taking responsibility for designing, implementing or maintaining internal control
• Accepting responsibility for the management of an IT project or initiative
2.6.2 In addition to assuming management responsibilities, the following nonaudit services or roles are considered to impair independence and objectivity:
• Material involvement of professionals in the supervision or performance of designing, developing, testing, installing, configuring or operating information systems that are material or significant to the subject matter of the audit or assurance engagement
• Designing controls for information systems that are material or significant to the subject matter of the audit or assurance
engagement
• Serving in a governance role where professionals are responsible for either independently or jointly making management decisions or approving policies and standards
• Providing advice that forms the primary basis of management decisions or performing management functions

Despite there being no requirement for professionals to be independent while performing non‐audit services or roles, professionals should consider whether independence could be impaired if they are assigned to perform an audit or assurance engagement in which the area where non‐audit services or roles are or were provided is material to the subject matter of the engagement. Where such a potential impairment is foreseeable (e.g.,where an independent audit will be required later and there is only one professional with the requisite skills to perform both the non‐audit services or roles and the subsequent audit), the professional should seek guidance from audit management and, if necessary, those charged with governance, prior to accepting or performing the non‐audit services or roles.

• 2007 Assertions

2.1.1 Assertions are any declaration or set of declarations about whether the subject matter is based on or in conformity with the criteria selected. Professionals should consider these assertions throughout the execution of an audit engagement, obtain assurance on their achievement and express this in the audit report.
2.1.2 Common assertions that may be considered include:
• Confidentiality—Preserving authorised restrictions on access and disclosure, including means for protecting privacy and proprietary information
• Completeness—All activities, information and other data that should have been recorded are recorded, e.g., all IT system changes promoted to production are recorded in the change management tracking application
• Accuracy—Amounts, dates and other data related to recorded activities have been recorded appropriately, e.g., all data related to the promotion of IT system changes into production are accurately displayed in the change records of the change management tracking application
• Integrity—Information, evidence and other data received come from trustworthy and reliable sources, e.g., the change records requested by professionals are received from the compliance manager, a trustworthy and reliable source within the enterprise
• Availability—Information, evidence and other data required for the audit engagement exist and are accessible, e.g., the requested change records exist and are readily accessible in the change management tracking application
• Compliance—Information, evidence and other data has been recorded according to the enterprise, regulatory or other applicable stipulations, e.g., all required fields, according to the applicable stipulations, are present on the change records of the change management tracking application

2.4.2 After forming a conclusion, professionals should issue an indirect or direct report on the subject matter:
• Indirect report—On the assertions about the subject matter. For example, on the assertion ‘completeness’, for a component of the subject matter: ‘Based on our operating effectiveness testing, in our opinion the IT system changes promoted to production, in all material respect according to the selected criteria, have been completely recorded in the change management tracking application’.
• Direct report—On the subject matter itself. For example, on the entire subject matter: ‘Based on our testing, in our opinion the IT system changes are following, in all material respect according to the selected criteria, the required change management procedure’.

(Vezi şi Audit: raportare directă sau atestare?)

• 2401 Reporting

2.1.1 Professionals may perform any of the following types of audit engagements:
• Examination
• Review
• Agreed‐upon procedures

2.1.2 Both examination and review engagements involve:
• Planning the engagement
• Evaluating the design effectiveness of control procedures • Testing the operating effectiveness of the control procedures (the nature, timing and extent of testing will vary as between both types of engagements)
• Forming a conclusion about, and reporting on, the design and/or operating effectiveness of the control procedures based on the identified criteria:
– The conclusion for a reasonable assurance engagement is expressed as a positive opinion and provides a high level of assurance.
– The conclusion for a limited assurance engagement is expressed as a negative opinion and provides only a moderate level of assurance.

2.1.5 Where an audit engagement is to be undertaken to meet a regulatory or similarly imposed requirement, it is important that professionals are satisfied that the type of audit engagement is clear from the relevant legislation or other source of the audit engagement mandate. If there is any uncertainty, it is recommended that professionals and/or appointing party communicate with the relevant regulator or other party responsible for establishing or regulating the requirement and agree on the engagement type and the assurance to be provided.

2.2.2 When concluding on an examination or review engagement, professionals should come to an expression of opinion about whether, in all material respects, the design and/or operation of control procedures in relation to the area of activity were effective. This opinion can be:
• Unqualified—Professionals should express an unqualified opinion when they conclude that, in all material respects, the design and/or operation of control procedures in relation to the area of activity were effective, in accordance with the applicable criteria.
• Qualified—Professionals should express a qualified opinion when they:
– Having obtained sufficient and appropriate evidence, conclude that control weaknesses, individually or in the aggregate, are material, but not pervasive to the IS audit objectives
– Are unable to obtain sufficient and appropriate evidence on which to base the opinion, but conclude that the possible effects on the IS audit objectives of undetected weaknesses, if any, could be material but not pervasive
• Adverse—When one or more significant deficiencies aggregate to a material and pervasive weakness
• Disclaimer—Professionals should disclaim an opinion when they are unable to obtain sufficient and appropriate evidence on which to base the opinion, and conclude that the possible effects on the IS audit objectives of undetected

2.4.4 Professionals should obtain written representations from management acknowledging, at a minimum, the following assertions:
• Management responsibility for establishing and maintaining proper and effective internal controls, including systems of internal accounting and administrative controls over operating activities and information systems under review, and activities to identify all laws, rules, and regulations, which govern the subject area under review, and to ensure compliance
with them.
• All requested information relevant to the engagement objectives was provided to the engagement team including, but not limited to:
– Records, related data, electronic files and reports

– Policies and procedures
– Pertinent personnel
– Results of relevant internal and external IS audits, reviews and assessments
• No event(s) has occurred or matters discovered since the end of fieldwork that would have a material effect on the engagement.
• Management has no knowledge of any fraud or suspected fraud, irregularities and illegal acts related to the subject area under review, including management and employees with responsibility for internal control not already disclosed.
• Management has no knowledge of any allegations of fraud or suspected fraud, irregularities and illegal acts affecting the area under review received in communications from employees, clients, contractors or others not already disclosed.
• Acknowledgement of responsibility for the design and implementation of programs and controls to prevent and detect fraud, irregularities and illegal acts.

Cred că “business judgement” va intra în coliziune cu “professional judgement”…S-ar putea argumenta că ghidurile ISACA nu au caracter mandatar. Este adevărat, dar:

The guidelines are not mandatory—but adhering to them is strongly recommended. Although they do allow IS audit and assurance professionals a degree of application freedom, professionals must be able to defend and justify any significant deviation from the guidelines or the omission of relevant sections of the guidance in the conduct of IS audit and assurance engagements. This is particularly true if the engagement is more at the IS audit level. Not all guidelines will be applicable in all situations, but they should always be considered.