I’ve got a couple of hours between two public meetings, talking about privacy and Social Networks here in Alcoy (Alicante), so I decided to go to the local library and take a look to my CISA Review Manual 2013.

I’ve been reading the Standards Framework that a wanna-be CISA needs to know to perform an IS Audit and, believe me, there are a lot of Auditing Standards (16, yes, sixteen!).

“But what these Standards are for?”

ISACA established these Standards to assure a minimum level in IS Audit and to bring to the auditee the answer to the question: “What did I buy?”. If an auditee want to know if what he/she bought meets his/her expectations, there’s nothing better that compare his/her investment in IS with ISACA Standards and its IS Audit procedures (and results). Do they match? Terrific. If not, next time, call a CISA.

Let’s see these Standards, then.

The first one is the Audit Charter (S1), and we read about it in a previous post. But I don’t want to analyze every Auditing Standard (I don’t have permission nor capability to do it). I just would like to underline something important about Irregularities and Illegal Act Standard (S9).

In the CISA Review Manual 2013, there are many practical guidelines to accomplish with this standard, like professional skepticism (if you are a LOPD auditor, you know what I mean), and the findings of unusual or unexpected relationships that may (just may…) indicate misstatements due to irregularities and illegal acts.

But what I really appreciated most is the advise that, if you find something really bad and nobody want to fix it, you better consider withdrawing the engagement.