Applicable professional standards issued by Standards issued Standards Australia, the
International Standards Organisation and Other Standards
Background:
The Model Internal Audit Charter as given in the IARM Policy states that the internal audit
activities will be conducted in accordance with relevant professional standards including
Standards issued by:
 International Standards for the Professional Practice of Internal Auditing issued by the
Institute of Internal Auditors (IIA)
 Standards Australia and the International Standards Organisation
There is no practical problem in referring to the Internal Standards for the Professional Practice
of Internal Auditing issued by the Institute of Internal Auditors, as they are readily available in
one place in the IIA website. I have, last week, circulated a note comparing the requirements of
IARM Policy with the IIA Standards. We noticed that the IARM Policy builds on the minimum
standards laid down by the IIA and adds on additional requirements based on best in practice
methods currently being practiced by leading organisations.
Now, this week, I tried to analyse the other part- identifying the relevant standards of Standards
Australia and the ISO. As Internal Auditors, we have to understand the relevant standards. I
tried to do a bit of “research” on this.
I am totally confused. When I studied the Australian Standards, I could find some standards
relating to risk management but nothing else of any direct relevance to internal auditing.
I was also overwhelmed by the large number of standards that are available under ISO.
There are about 17500 Standards and about 1100 Standards are published each year.
It would be a very difficult almost impracticable task for all of us to identify the professional
standards of relevance out of these numerous standards and applying them in the internal
audit activities.
If we study the internal audit manual of many leading organisation, we will note that they . in
addition to the IIA Standards, also make reference to the auditing standards issued by the
respective countries professional bodies of accounting as well as to the standards published
by the Information Systems Audit and Control Association (ISACA).
Thus, in specific areas of specialisation, such as audits of financial records and audits
related to computer-based systems and functions, other authoritative bodies have issued
audit statements and guidelines. In particular, the Australian Auditing and Assurance
Standards Board have issued statements on auditing standards and practices, having regard
to generally accepted principles applying in both the public and private sector, for audits of
financial statements. The ISACA, another international body, has developed standards for
Information Technology auditing
It may be noted that of late the IIA has issued a number of Practice Guides under Global
Technology Audit Guide(GATG) to address IT technology controls and IT Auditing and under
Guide to Assessment of IT Risk(GAIT) to address Business and IT Risk to make the IIA
Standards comprehensive and complete
I wonder whether the intention as per the model IA charter is that that the internal audit shall
be conducted in accordance with the relevant professional auditing standards published also
by Australian Auditing and Assurance Standards Board (AUASB) in addition to those of IIA
Standards. From the study of the AUASB Standards, we can easily identify many of the
Standards which may be relevance to Internal Auditing- particularly when performed by
outsourced service providers belonging to CA and CPA firms. As observed earlier, there are
also standards issued by ISACA on IS Auditing. I am not sure whether we would be required
to follow those Standards when doing Information Technology Audits.
In this note I try to give a brief about each of these standards with a view to seek other net
work members’ views on which of these Standards would actually apply to our work as
Internal Auditors, besides the IIA Standards.
I think, the IARM Policy is clear on this stating that we need to adhere to the IIA Standards
but the Model Internal Audit Charter appears to have added some confusion by including the
Australian Standards and ISO Standards.
I believe that the clarity on the exact standards we need to apply in conducting the internal
audit would be helpful.
I give below a brief description of each of the above standards:
A. Standards Australia:
Standards Australia is the nation’s peak non-government Standards organisation. It is
charged by the Commonwealth Government to meet Australia’s need for contemporary,
internationally aligned Standards and related services. The Standards Australia Council is
responsible for the general oversight of standardization in Australia and the governance of
Standards Australia
Standards Australia’s work continues in traditional areas such as building, construction,
energy, consumer protection and safety. It is also actively involved in developing Standards
in areas including:


Climate change and greenhouse gas emissions;
Personal financial planning and employment screening;




National security;
IT security and risk management;
Managerial and organisational practice, risk management, corporate social
responsibility; and
Electronic health records, messaging and communication.
The work of Standards Australia enhances the nation’s economic efficiency, international
competitiveness and contributes to community demand for a safe and sustainable
environment.
However, the important role of Standards in any advanced nation's technical infrastructure
means that a close and co-operative working relationship with government is essential. To
ensure this, a Memorandum of Understanding has existed between Standards Australia and
the Commonwealth Government since 1988. The Memorandum recognizes Standards
Australia as the peak non-government Standards body in Australia.
This memorandum details the accord that exists between the two parties in respect to
Australian standardization. Among the principal accords are that no Australian Standard will
contravene the World Trade Organization's requirements that national Standards should not
be used as non-tariff barriers to free trade; and agreement that no new Australian Standard
will be developed where an acceptable international Standard already exists.
When we search Standards Australia, through www. riskmanagement.com.au website we
get the following listing of Standards in the “the Australian Standard 4360 Risk management
portal”
AS/NZS 4360:2004 Risk management along with following Risk Handbooks:
HB 141-2004 Risk Financing Guide
HB 203:2006 Environmental Risk
HB 205:2004 OHS Risk Management Handbook
HB 221:2004 Business Continuity
HB 240-2004 Risk in Outsourcing
HB 246-2004 Risk in Sport and Recreation
HB 254-2005 Governance, risk management and control assurance
All these relate to risk management.
When we search the Australian Standards website to get a listing of “Australian Standards”,
we are taken to taken to saiglobal.com website as below:
http://www.saiglobal.com/shop/script/Result.asp?DegnKeyword=Australian+Standards&Db=
AS&SearchType=publisheronly&Status=all&Max=15&Search=Proceed&SAView=1&TR=1
This website lists the following 28 items as Australian Standards:

AS 2987/A-1987 : Annexure to the Australian Standard for conditions of contract for supply
and erection of equipment

AS 2987/B-1987 Annexure to the Australian Standard for conditions of contract for supply
and erection of equipment

AS 4708-2007 :Forest management - Economic, social, environmental and cultural criteria
and requirements for wood production (known as The Australian Forestry Standard)

AS 4708-2007 :Forest management - Economic, social, environmental and cultural criteria
and requirements for wood production (known as The Australian Forestry Standard)

AS 4708-2007 :Forest management - Economic, social, environmental and cultural criteria
and requirements for wood production (known as The Australian Forestry Standard)

AS 4708 Supp 3-2007:The Australian Forestry Standard - Guidance for small native forest
and plantation ownerships (Supplement 3 to AS 4708 - 2007)

AS SSA 5300-2009 Australian Fish Names Standard

HB 15-1988 Chemical analysis index - A keyword listing of methods described or cited in
Australian Standards (Chemdex)

HB 162-2002 : Rules for the structure and drafting of Australian Standards

HB 2.1-1998 Australian Standards for civil engineering students - Materials and testing

HB 2.2-2003 : Australian Standards for civil engineering students - Structural engineering

HB 2.2-2003/Amdt 1-2003 : Australian Standards for civil engineering students - Structural
engineering

HB 2.2-2003/Amdt 2-2004 : Australian Standards for civil engineering students - Structural
engineering

HB 37.0-1995 Handbook of Australian fire Standards - Fire test Standards - Preparation,
application and format

HB 37.1-1993 :Handbook of Australian fire Standards - Fire - General

HB 37.2-1993 :Handbook of Australian fire Standards - Electrical equipment

HB 37.3-1993 :Handbook of Australian fire Standards - Plastics and rubber - Materials and
products

HB 37.4-1994 :Handbook of Australian fire Standards - Building materials, products and
construction

HB 37.5-1995 :Handbook of Australian fire Standards - Textiles - Materials and products

HB 5.1-1991 :Australian Standards for plumbing students - Trade Course

HB 63-1994 :Home insulation in Australia - Recommended insulation levels for all States as
per Australian Standard AS 2627.1

HB 73.1-2005:Handbook of Australian Paint Standards - General

HB 73.2-2005 :Handbook of Australian Paint Standards - Test methods

HB 73.3-1995 :Handbook of Australian Paint Standards - Industrial paints

HB 73.4-1995 :Handbook of Australian Paint Standards - Architectural paints

MP 15.2-1990 :Standards Australia Style Manual - Drafting of Australian Standards

MP 84-2000 :Evolution Of Australian Standards for structural steel

MP 88-2000: Evolution of Australian Standard for Pressure vessel steel plate
B. International Standards Organization:
ISO (International Organization for Standardization) is the world's largest developer and
publisher of International Standards.
ISO is a network of the national standards institutes of 162 countries, one member per
country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.
ISO is a non-governmental organization that forms a bridge between the public and private
sectors. On the one hand, many of its member institutes are part of the governmental
structure of their countries, or are mandated by their government. On the other hand, other
members have their roots uniquely in the private sector, having been set up by national
partnerships of industry associations.
Therefore, ISO enables a consensus to be reached on solutions that meet both the
requirements of business and the broader needs of society.
ISO has developed over 17500 International Standards on a variety of subjects and some
1100 new ISO standards are published every year
The ISO’s International Standard ISO 31000 “Risk Management- Principles and Guidelines
on implementation” is under development. ISO 31000 is expected to consolidate existing
AS/NZS 4360 and it is likely Standards Australia would adopt this Standard.
ISO standards that provide requirements or give guidance on good management practice are
among the best known of ISO's offering.
Of these, two have achieved truly global status and are now thoroughly integrated with the
world economy:

ISO 9001:2000 (the transition to ISO 9001:2008 is now taking place)- which gives the
requirements for quality management systems providing assurance about the ability
to satisfy quality requirements and to enhance customer satisfaction in suppliercustomer relationships

ISO 14001:2004-which gives the requirements for environmental management
systems that confirms its relevance for organisations wishing to operate in an
environmentally sustainable manner.
The following 21 standards are listed as standards when searched using the word ”Audit” in
title and abstract :

ISO/IEC 27006:2007 - Information technology -- Security techniques -- Requirements for
bodies providing audit and certification of information security management systems

ISO/IEC 17021:2006 - Conformity assessment -- Requirements for bodies providing audit
and certification of management systems

ISO 28003:2007 Security management systems for the supply chain -- Requirements for
bodies providing audit and certification of supply chain security management systems

ISO/PAS 30003:2008 Ships and marine technology -- Ship recycling management systems -Requirements for bodies providing audit and certification of ship recycling management

ISO/TS 22003:2007 ; Food safety management systems -- Requirements for bodies providing
audit and certification of food safety management systems

ISO/IEC 10164-8:1993 : Information technology -- Open Systems Interconnection -- Systems
Management: Security audit trail function

ISO/IEC 10181-7:1996 : Information technology -- Open Systems Interconnection -- Security
frameworks for open systems: Security audit and alarms framework

ISO/IEC 7942-3:1999 : Information technology -- Computer graphics and image processing -Graphical Kernel System (GKS) -- Part 3: Audit trail

ISO/IEC TR 24714-1:2008 : Information technology -- Biometrics -- Jurisdictional and
societal considerations for commercial applications -- Part 1: General guidance

ISO/TR 21089:2004 : Health informatics -- Trusted end-to-end information flows

ISO/IEC 21000-6:2004 : Information technology -- Multimedia framework (MPEG-21) -Part 6: Rights Data Dictionary

ISO 10007:2003 : Quality management systems -- Guidelines for configuration management

ISO 13448-1:2005 : Acceptance sampling procedures based on the allocation of priorities
principle (APP) -- Part 1: Guidelines for the APP approach

ISO 9000:2005 : Quality management systems -- Fundamentals and vocabulary

ISO/IEC 29881:2008 : Information technology -- Software and systems engineering -FiSMA 1.1 functional size measurement method

ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing

ISO 20176:2006 : Road vehicles -- H-point machine (HPM II) -- Specifications and procedure
for H-point determination

ISO/IEC TR 15443-1:2005 : Information technology -- Security techniques -- A framework
for IT security assurance -- Part 1: Overview and framework

ISO 13606-1:2008 : Health informatics -- Electronic health record communication -- Part 1:
Reference model

ISO 22307:2008 : Financial services -- Privacy impact assessment

ISO/TS 16949:2009 : Quality management systems -- Particular requirements for the
application of ISO 9001:2008 for automotive production and relevant service part
organization
The following are 20 items are listed as standards when searched using the words “Risk Management”
in the title and abstract

ISO 15743:2008 : Ergonomics of the thermal environment -- Cold workplaces -- Risk
assessment and management

ISO/IEC 27005:2008 :Information technology -- Security techniques -- Information security
risk management

ISO 17666:2003 : Space systems -- Risk management

ISO 22442-1:2007 : Medical devices utilizing animal tissues and their derivatives -- Part 1:
Application of risk management

ISO/IEC 16085:2006 Systems and software engineering -- Life cycle processes -- Risk
management

ISO/TS 22367:2008 Medical laboratories -- Reduction of error through risk management and
continual improvement

ISO/TS 20993:2006 : Biological evaluation of medical devices -- Guidance on a riskmanagement process

ISO 14971:2007 : Medical devices -- Application of risk management to medical devices

ISO/IEC Guide 73:2002 : Risk management -- Vocabulary -- Guidelines for use in standards

ISO/TS 16732:2005 : Fire safety engineering -- Guidance on fire risk assessment

ISO 19092:2008 : Financial services -- Biometrics -- Security framework

ISO/PAS 22399:2007 : Societal security - Guideline for incident preparedness and operational
continuity management

ISO/IEC 27002:2005 : Information technology -- Security techniques -- Code of practice for
information security management

ISO 10303-232:2002 : Industrial automation systems and integration -- Product data
representation and exchange -- Part 232: Application protocol: Technical data packaging core
information and exchange

ISO 15928-1:2003 : Houses -- Description of performance -- Part 1: Structural safety

ISO 5840:2005 : Cardiovascular implants -- Cardiac valve prostheses

ISO 22442-2:2007 : Medical devices utilizing animal tissues and their derivatives -- Part 2:
Controls on sourcing, collection and handling

ISO 22442-3:2007 : Medical devices utilizing animal tissues and their derivatives -- Part 3:
Validation of the elimination and/or inactivation of viruses and transmissible spongiform
encephalopathy (TSE) agents

ISO/IEC 17799:2005 : Information technology -- Security techniques -- Code of practice for
information security management

ISO 22307:2008 : Financial services -- Privacy impact assessment
There are some 133 standards listed when searching using the words Risk Assessment. Some of the
items which may have some relation to audit are:

ISO 2859-4:2002 Sampling procedures for inspection by attributes -- Part 4: Procedures for
assessment of declared quality levels

ISO/IEC 15504-4:2004 : Information technology -- Process assessment -- Part 4: Guidance on
use for process improvement and process capability determination

ISO 8423:2008 : Sequential sampling plans for inspection by variables for percent
nonconforming (known standard deviation)

ISO 19706:2007 Guidelines for assessing the fire threat to people

ISO/IEC 27002:2005 : Information technology -- Security techniques -- Code of practice for
information security management

ISO/IEC 17799:2005 Information technology -- Security techniques -- Code of practice for
information security management

ISO 8422:2006 : Sequential sampling plans for inspection by attributes

ISO 22307:2008 Financial services -- Privacy impact assessment
Under Risk Mitigation, we have the following standard listed

ISO/PAS 22399:2007 Societal security - Guideline for incident preparedness and operational
continuity management
C. Standards issued by the Australian Auditing and Assurance Standards Board
(AUASB) :
The Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (the
CLERP 9 Act) established the AUASB as an independent statutory body under section 227A of the
Australian Securities and Investments Commission Act 2001, as from 1 July 2004.
Under section 227B of that Act, the AUASB may formulate guidance on auditing and assurance matters
The establishment of the Auditing and Assurance Standards Board (“AUASB”) was the result of the
following two significant amendments to the Corporations Act 2001 that emanated from CLERP 9:
(a)
the reconstitution of the former Auditing and Assurance Standards Board (“AuASB”)1 as a statutory
body under the oversight of the Financial Reporting Council; and
(b)
giving Auditing Standards the force of law for the purposes of the Corporations Act 2001.
The primary functions of the AUASB under section 227B of the ASIC Act are:
(a)
to make auditing standards under section 336 of the Corporations Act 2001 for the purposes of the
corporations legislation;
(b)
to formulate auditing and assurance standards for other purposes;
(c)
to formulate guidance on auditing and assurance matters;
(d)
to participate in and contribute to the development of a single set of auditing standards for worldwide use; and
(e)
to advance and promote the main objects of Part 12 of the ASIC Act.
The International Auditing and Assurance Standards Board (“IAASB”) of the International Federation of
Accountants (“IFAC”) issues, on an international basis, exposure drafts, standards and other
pronouncements on auditing and assurance matters.
Participation in the work of the IAASB is considered integral to the ability of the AUASB to continue as an
effective national standard-setter and is important to the AUASB maintaining and further developing the
auditing and assurance standards and related guidance which are used in Australia. Australia has been
regarded as an influential international contributor, through membership and direct input on matters on
which the IAASB deliberates
Where appropriate, the AUASB uses pronouncements issued by the IAASB as a basis for preparing
Australian pronouncements. The rationale for this policy is the existence of the IAASB as the major global
principles-based auditing and assurance standards setting body and the significant strengthening of its
public interest focus in recent years, reinforced through oversight of its activities by IFAC's Public Interest
Oversight Board. Furthermore, the strategic direction set by the FRC requires that, where appropriate,
equivalent ISAs be used as the basis for re-drafting Australian Auditing Standards
The AUASB issues the following types of standards:
(a)
Auditing Standards (“ASAs”);
(b)
Standards on Review Engagements (“ASREs”);
(c)
Standards on Assurance Engagements (“ASAEs”); and
(d)
Standards on Related Services (“ASRSs”).
ASAs, ASREs, ASAEs and ASRSs are collectively referred to in this document as the “AUASB Standards”.
The AUASB has issued ASA 100 Preamble to AUASB Standards, which sets out the AUASB's intentions
on how the AUASB Standards are to be understood, interpreted and applied. ASA 100 also identifies those
AUASB Standards which have the force of law for the purposes of the Corporations Act 2001
Auditing Standards (ASAs), whilst developed in the context of financial report audits, are to be applied also,
as appropriate, to all audits of other historical financial information. An audit is designed to provide
reasonable assurance
Standards on Review Engagements (ASREs) are to be applied to the review of a financial report and are to
be applied also, as appropriate, to the review of other historical financial information. A review provides a
lower level of assurance than an audit.
Standards on Assurance Engagements (ASAEs) are to be applied to assurance engagements dealing with
subject matters other than historical financial information. 9 These engagements may provide either
reasonable or limited assurance, depending on the nature of the engagement. Examples of such subject
matters include the efficiency and/or effectiveness of an entity's activities, prospective financial information and the
effectiveness of internal controls.
Standards on Related Services (ASRSs) are to be applied to engagements involving agreed upon
procedures to information and other related services engagements as specified by the AUASB. These
engagements do not provide any assurance
The AUASB issues the following types of guidance:
(a)
Guidance Statements; and
(b)
Other guidance publications
The AUASB issues Guidance Statements on audit, review, assurance and related services matters.
Guidance Statements, whilst approved and issued by the AUASB, do not establish new principles or
amend existing Standards and do not have the force of law for the purposes of the Corporations Act 2001.
Issuance of Guidance Statements will normally be appropriate where the AUASB wishes to provide
guidance on procedural matters or on entity or industry specific issues.
The AUASB also issues Auditing Guidance Notes and Auditing and Assurance Alerts. Auditing Guidance
Notes are issued to provide interim guidance on matters that are of relevance to audits but which are yet to
be incorporated in Standards or Guidance Statements. They do not amend existing Standards and
Guidance Statements and do not have the force of law for the purposes of the Corporations Act 2001.
Auditing and Assurance Alerts do not provide interim guidance but discuss and create awareness of
emerging topical issues. Auditing and Assurance Alerts do not have the force of law for the purposes of the
Corporations Act 2001
The AUASB website (www.auasb.gov.au) is designed to meet stakeholder information needs. The website
is used to provide information about the AUASB, its governance guidelines, activities and work programme
to its stakeholders and interested parties. Pronouncements issued by the AUASB are published on the
website and are available for download free of charge. The AUASB publishes, on its website, meeting
agendas and meeting papers prior to meetings and meeting highlights after meetings. Members of the
public are able to register for the AUASB Update Notification Service which provides registrants with a
notification, in the form of an email, alerting of important updates to the website.
This Framework for Assurance Engagements (Framework) defines and describes the elements and
objectives of an assurance engagement, and identifies engagements to which Auditing Standards (ASAs),
Standards on Review Engagements (ASREs) and Standards on Assurance Engagements (ASAEs) apply.
It provides a frame of reference for:
(a)
assurance practitioners;
(b)
others involved with assurance engagements, including the intended users of an assurance report
and the responsible party; and
(c)
the Auditing and Assurance Standards Board in its development of ASAs, ASREs, ASAEs and
other pronouncements.
In addition to this Framework and ASAs, ASREs and ASAEs, assurance practitioners who perform
assurance engagements may be governed by:

The applicable code of conduct of a professional accounting body2, which establishes fundamental
ethical principles for assurance practitioners.

The quality control requirements for firms issued by a professional accounting body, which establish
standards and provide guidance on a firm's system of quality control 3.

Any relevant legislative requirement
Code of Professional Conduct of the Professional Bodies:
In Australia, the codes of conduct of the professional accounting bodies, as issued from time to time,
are:
CPA Australia and The Institute of Chartered Accountants in Australia, Joint Code of

Professional Conduct; and

National Institute of Accountants, Pronouncements of the Board of Directors – Code of
Ethics.
In Australia, the quality control requirements for firms, as issued from time to time, are:
CPA Australia and The Institute of Chartered Accountants in Australia, APS 5 Statement of Quality Control for

Firms; and

National Institute of Accountants, Standard on Quality Control.
The following are the list of Auditing and other Standards and guidance issued by AUASB:
ASA - Auditing Standards
ASA100 - Preamble to AUASB Standards
ASA200 - Auditing Standard ASA 200 Objective and General Principles Governing an Audit of a Financial Report
ASA210 - Auditing Standard ASA 210 Terms of Audit Engagements
ASA220 - Quality Control for Audits of Historical Financial Information
ASA230 - Audit Documentation
ASA240 - The Auditor's Responsibility to Consider Fraud in an Audit of a Financial Report
ASA250 - Consideration of Laws and Regulations in an Audit of a Financial Report
ASA260 - Communication of Audit Matters with Those Charged with Governance
ASA300 - Planning an Audit of a Financial Report
ASA315 - Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
ASA320 - Materiality and Audit Adjustments
ASA330 - The Auditor's Procedures in Response to Assessed Risks
ASA402 - Audit Considerations Relating to Entities Using Service Organisations
ASA500 - Audit Evidence
ASA501 - Existence and Valuation of Inventory
ASA505 - External Confirmations
ASA508 - Enquiry Regarding Litigation and Claims
ASA510 - Auditing Standard ASA 510 Initial Engagements – Opening Balances
ASA520 - Analytical Procedures
ASA530 - Audit Sampling and Other Means of Testing
ASA540 - Audit of Accounting Estimates
ASA545 - Auditing Fair Value Measurements and Disclosures
ASA550 - Related Parties
ASA560 - Subsequent Events
ASA570 - Auditing Standard ASA 570 Going Concern
ASA580 - Management Representations
ASA600 - Using the Work of Another Auditor
ASA610 - Considering the Work of Internal Audit
ASA620 - Using the Work of an Expert
ASA700 - Auditing Standard ASA 700 The Auditor's Report on a General Purpose Financial Report
ASA701 - Auditing Standard ASA 701 Modifications to the Auditor's Report
ASA710 - Auditing Standard ASA 710 Comparatives
ASA720 - Other Information in Documents Containing Audited Financial Reports
ASA800 - Auditing Standard ASA 800 The Auditor's Report on Special Purpose Audit Engagements
ASRE2410 - Review of Interim and Other Financial Reports Performed by the Independent Auditor of the Entity
ASA - Amendments to Australian Auditing Standards
ASA2007-1 - Auditing Standard ASA 2007-1 Amendments to Australian Auditing Standards
ASA2008-1 - Amendments to Australian Auditing Standards
ASAE - Standards on Assurance Engagements
ASAE3000 - Assurance Engagements Other than Audits or Reviews of Historical Financial Information
ASAE3100 - Compliance Engagements
ASAE3500 - Performance Engagements
Standards on Review Engagements
ASRE2400 - Review of a Financial Report Performed by an Assurance Practitioner Who is Not the Auditor of the Entity
ASRE2405 - Review of Historical Financial Information Other than a Financial Report
Explanatory Guide to AUASB Standards Applicable to Review Engagements
AUS - Auditing and Assurance Standards - Current
AUS804 - The Audit of Prospective Financial Information
AUS810 - Special Purpose Reports on the Effectiveness of Control Procedures
AUS904 - Engagements to Perform Agreed-Upon Procedures
Guidance Statements
GS001 - Concise Financial Reports
GS002 - Special Considerations in the Audit of Risk Management Requirements for Registrable Superannuation En
Licensees
GS003 - Audit and Review Requirements for Australian Financial Services Licensees under the Corporations Act 2001
GS004 - Audit Implications of Prudential Reporting Requirements for General Insurers
GS005 - Using the Work of an Actuary
GS006 - Electronic Publication of the Auditor's Report
GS007 - Audit Implications of the Use of Service Organisations for Investment Management Services
GS008 - The Auditor's Report on a Remuneration Report Pursuant to Section 300A of the Corporations Act 2001
GS009 - Auditing Self Managed Superannuation Funds
GS010 - Responding to Questions at an Annual General Meeting
GS011 - Third Party Access to Audit Working Papers
AGS - Auditing and Assurance Guidance Statements - Current
AGS1002 - Bank Confirmation Requests
AGS1004 - Transitional Arrangements on Changes in Audit Appointments under the Corporations Act 2001
AGS1008 - Audit Implications of Prudential Reporting Requirements for Authorised Deposit-taking Institutions (ADIs)
AGS1014 - Privity Letter Requests
AGS1016 - Audit and Review Reports on Half-Year Financial Reports of Disclosing Entities Under the Corporations Act 200
AGS1024 - Life Insurance Act 1995 — Audit Obligations
AGS1030 - Auditing Derivative Financial Instruments
AGS1032 - The Audit Implications of Accounting for Investments in Associates
AGS1036 - The Consideration of Environmental Matters in the Audit of a Financial Report
AGS1040 - Franchising Code of Conduct – Auditor’s Reports
AGS1042 - Reporting on Control Procedures at Outsourcing Entities
AGS1052 - Special Considerations in the Audit of Compliance Plans of Managed Investment Schemes
AGS1054 - Auditing Revenue of Charitable Entities
AGS1058 - Auditing Mortgage Investment Schemes
AGS1062 - Reporting in Connection with Proposed Fundraisings
D. Additional Material
The Australian Auditing Manual
There is also another useful material viz. The Australian Auditing Manual published by Chartered
Accountants, Australia
The Australian Auditing Manual has been developed to explain and illustrate a greater understanding of
conducting audits in compliance with the Australian Auditing Standards (ASAs), not as a substitute. The
Manual provides, by way of a comprehensive case study, illustrations of:
Planning and performing risk assessment procedures
Understanding the client and responding to risks
Audit documentation, evaluating audit evidence and reporting.
The Manual is a practical ‘how to’ guide, based on typical small to medium enterprise audits.
E. ISACA Standards:
With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading
global provider of knowledge, certifications, community, advocacy and education on information systems
assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969,
ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international
information systems auditing and control standards. It also administers the globally respected Certified
Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®) and Certified in
the Governance of Enterprise IT® (CGEIT®) designations.
ISACA developed and continually updates the COBIT®, Val IT™ and Risk IT frameworks, which help IT
professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the
business
Since its inception, ISACA has become a pace-setting global organization for information governance,
control, security and audit professionals. Its IS auditing and IS control standards are followed by
practitioners worldwide. Its research pinpoints professional issues challenging its constituents. Its Certified
Information Systems Auditor (CISA) certification is recognized globally and has been earned by more than
60,000 professionals since inception. The Certified Information Security Manager (CISM) certification
uniquely targets the information security management audience and has been earned by more than 10,000
professionals. The Certified in the Governance of Enterprise IT (CGEIT) designation promotes the
advancement of professionals who wish to be recognized for their IT governance-related experience and
knowledge and has been earned by more than 200 professionals. It publishes a leading technical journal in
the information control field, the ISACA Journal. It hosts a series of international conferences focusing on
both technical and managerial topics pertinent to the IS assurance, control, security and IT governance
professions. Together, ISACA and its affiliated IT Governance Institute lead the information technology
control community and serve its practitioners by providing the elements needed by IT professionals in an
ever-changing worldwide environment.
IS Auditing Standards
S1
Audit Charter
S2
Independence
S3
Professional Ethics and Standards
S4
Professional - Competence
S5
Planning
S6
Performance of Audit Work
S7
Reporting
S8
Follow-up Activities
S9
Irregularities and Illegal Acts
S10
IT Governance
S11
Use of Risk Assessment in Audit Planning
S12
Audit Materiality
S13
Using the Work of Other Experts
S14
Audit Evidence
S15
IT Controls
S16
E-commerce
IS Auditing Guidelines
G01 Using the Work of Other Experts
G02 Audit Evidence Requirement
G03 Use of Computer-Assisted Audit Techniques
G04 Outsourcing of IS Activities to Other Organisations
G05 Audit Charter
G06 Materiality Concepts for Auditing Information Systems
G07 Due Professional Care
G08 Audit Documentation
G09 Audit Considerations for Irregularities
G10 Audit Sampling
G11 Effect of Pervasive IS Controls
G12 Organisational Relationship and Independence
G13 Use of Risk Assessment in Audit Planning
G14 Application Systems Review
G15 Planning
G16 Effect of Third Parties on an Enterprise’s IT Controls
G17 Effect of Nonaudit Role on the IT Audit and Assurance Professional’s Independence
G18 IT Governance
G20 Reporting
G21 Enterprise Resource Planning (ERP) Systems Review
G22 Business to Consumer (B2C) E-commerce Review
G23 System Development Life Cycle (SDLC) Review
G24 Internet Banking
G25 Review of Virtual Private Networks
G26 Business Process Reengineering (BPR) Project Reviews
G27 Mobile Computing
G28 Computer Forensics
G29 Post Implementation Review
G30 Competence
G31 Privacy
G32 Business Continuity Plan (BCP) Review from IT Perspective
G33 General Considerations on the Use of Internet (
G34 Responsibility, Authority and Accountability
G35 Follow-up Activities
G36 Biometric Controls
G37 Configuration Management Process
G38 Access Controls
G39 IT Organisation
G40 Review of Security Management Practices
IS Auditing Procedures
P01 IS Risk Assessment Measurement
P02 Digital Signatures
P03 Intrusion Detection
P04 Viruses and Other Malicious Logic
P05 Control Risk Self-assessment
P06 Firewalls
P07 Irregularities and Illegal Acts
P08 Security Assessment - Penetration Testing and Vulnerability Analysis
P09 Evaluation of Management Controls Over Encryption Methodologies
P10 Business Application Change Control
P11 Electronic Funds Transfer