The Information Technology Assurance Framework (ITAF), published by ISACA, is a comprehensive and good-practice-setting model that:
- Provides guidance on the design, conduct and reporting of IT audit and assurance assignments;
- Defines terms and concepts specific to IT assurance;
- Establishes standards that address IT audit and assurance professional roles and responsibilities; knowledge and skills; and diligence, conduct and reporting requirements.
What is ITAF?
ITAF applies to individuals who act in the capacity of IT assurance professionals and are engaged in providing assurance over some components of IT systems, applications and infrastructure. ITAF consists of standards, guidelines, and IT audit and assurance procedures.
The application of the framework is a prerequisite to conducting assurance work. The standards are mandatory while guidelines, tools and techniques are designed to provide non-mandatory assistance in performing assurance work and additional detail to support compliance with standards.
Who should use ITAF?
ITAF is designed primarily for use by individuals who act in the capacity of IT audit and assurance professionals and are engaged in providing assurance over some components of IT systems, applications and infrastructure; however, it can be used by anyone in the assurance profession. The framework is designed to provide benefits to wider audiences including senior management, boards, and users of IT and assurance reports.
ITAF's design recognizes that IT professionals are faced with multiple requirements and types of audit, ranging from IT-focused audit to financial, operational or regulatory requirements. At this time, ITAF is not designed to address specific requirements with respect to consultative and advisory work.
How is ITAF organised?
ITAF includes three categories of standards—general, performance and reporting—as well as guidelines and, finally, tools and techniques:
General—These are the guiding principles under which the IT assurance profession operates. These apply to the conduct of all assurance assignments, and deal with the IT audit and assurance professional's ethics, independence, objectivity and due care as well as knowledge, competency and skill.
Performance—These standards deal with the conduct of the assignment such as planning and supervision, scoping, risk and materiality, resource mobilization, supervision and assignment management, audit and assurance evidence, and the exercising of professional judgment and due care.
- Reporting—These standards address the types of reports, means of communication and the information communicated.
Guidelines—These provide the IT audit and assurance professional with information and direction about an audit or assurance area in line with the three categories of standards. Guidelines focus on the various audit approaches, methodologies and related material to assist in planning, executing, assessing, testing and reporting on IT processes, controls, and related audit or assurance initiatives. Guidelines also help clarify the relationship between enterprise activities and initiatives, and those undertaken by IT.
Tools and techniques—These provide specific information on various methodologies, tools and templates, and direction in their application and use, to operationalize the information provided in the guidance. The tools and techniques are directly linked to specific guidelines. They take a variety of forms, such as discussion documents, technical direction, white papers, audit programs or books.
The IT assurance or audit process involves the conduct of specific procedures to provide an appropriate level of assurance about the subject matter. IT audit and assurance professionals undertake assignments designed to provide assurance at varying levels, ranging from review to attestation or examination.
Several critical hypotheses are inherent in any IT assurance or audit assignment, including the following:
- The subject matter is identifiable and subject to audit.
- The audit or assurance project, if undertaken, has a significant likelihood of successful completion.
- The audit or assurance approach and methodology are free from bias.
- The IT audit or assurance project is of sufficient scope to meet the audit or assurance objectives.
- The IT audit or assurance project will lead to a report that is objective and will not mislead the reader.