Читать книгу Practical Guide to Auditing SAP Systems - Martin Metz - Страница 9

Internal audit organizations or other professional associations have created a variety of standards for IS audits. These standards have become a discipline for both external and internal auditors around the world. The section below highlights the standards of the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA).

Both ISACA and IIA provide and propagate codes of ethics for the practice of internal audit. As hundreds of thousands of auditors around the world are members of these associations and are well informed about their ethical requirements, these organizations play an essential role in the entire practice and credibility of auditing. The IIA’s code of ethics contains the following principles:

 Integrity

 Objectivity

 Confidentiality

 Competency

Competency is, of course, crucial to the success of an audit and as IS audits are something special, associations like ISACA have developed certification programs for training, assessing, and proving the qualification of IS auditors in particular. ISACA’s Certified Information Systems Auditor (CISA) certificate is very often a requirement for becoming an IS auditor.

The IIA has developed the International Professional Practices Framework (IPPF), and further technology-specific guides that help IS auditors.

ISACA has published the Information Technology Assurance Framework (ITAF) for IS audits. This framework comprises standards and guidelines for IS audit and assurance. These standards and guidelines give detailed and precise instructions on the following aspects of audits:

 Audit charter

 Organizational independence

 Professional independence

 Reasonable expectation

 Due professional care

 Proficiency

 Assertions

 Criteria

 Engagement planning

 Risk assessment in planning

 Performance and supervision

 Materiality

 Evidence

 Using the work of other experts

 Irregularity and illegal acts

 Reporting

 Follow-up activities

Auditors complying with these standards should always scrutinize the source, nature, and authenticity of all information gathered during audits. ISACA’s standard 1205, for example, covers the collection and handling of evidence. The associated guidelines support the clarification of these standards.

Hundreds of further standards and guidelines exist around internal audit and IS audit in general. Furthermore, security standards are a good source for concrete audit plans. Some of these even list specific requirements for SAP systems, such as those of the German Federal Office for Information Security (BSI).

As explained above, there is a myriad of laws, standards, and reasons for conducting IS audits. We will now take you through the process of performing such an audit.