cisa-d1-auditing-process-is-audit-standards-guidelines-functions-and-codes-

IS Audit Standards, Guidelines, Functions, and Codes of Ethics

isaca-cisa · framework · Gold standard

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 3, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is IS Audit Standards, Guidelines, Functions, and Codes of Ethics

IS Audit Standards, Guidelines, Functions, and Codes of Ethics form the mandatory governance framework that defines HOW an IS auditor must conduct their work — not just what they audit. ISACA's IS Audit Standards (IAS) are 14 mandatory principles organized across audit charter establishment (IAS 1010), evidence collection (IAS 1130), planning (IAS 1200), execution (IAS 1300 series), and reporting (IAS 1400 series). IS Audit Guidelines are advisory interpretations of those standards — expected best practices, but not mandates. The Code of Professional Ethics establishes four enforceable principles binding all CISA holders: Integrity, Objectivity, Confidentiality, and Competency. Together, these elements define the IS audit function — its scope, independence requirements, reporting obligations, and the behavioral constraints on every auditor exercising professional judgment.

Where it stops · what it isn't

—IS Audit Standards govern audit process and auditor conduct — they do not define what controls an organization must have (that is the domain of COBIT, NIST, ISO 27001).
—IS Audit Guidelines are advisory best practices — deviation is permitted if a defensible alternative approach is documented; deviation alone is not a standards violation.
—The Code of Professional Ethics applies to CISA-certified individuals and ISACA members — it is not a legal statute enforceable by courts, though violations can constitute evidence of negligence in litigation.
—IAS are not the same as regulatory audit requirements (HIPAA, SOX, PCI-DSS) — IAS govern how auditors operate within those regulatory contexts, not the controls those regulations require.
—The IS audit function (internal or external) is not the same as a cybersecurity team, compliance team, or IT operations team — auditors must maintain independence from the functions they audit.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

IS Auditing Process (CISA Domain 1)

REQUIRES

Audit Charter (IAS 1010)Audit Independence and Objectivity

ENABLES

Audit Planning (IAS 1200)Audit Evidence Collection (IAS 1130)Audit Reporting and Follow-Up (IAS 1400 series)

RELATED TO

Audit Tools, Techniques, and Methods (CISA Domain 1)

CONSTRAINS

Risk-Based Audit PlanningAuditor Conduct and Ethical Decision-Making

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.