ITAF Information Technology Assurance Framework

ITAF’s design recognizes that IS audit and assurance professionals are faced with different requirements and different types of audit and assurance assignments, ranging from leading an IS-focused audit to contributing to a financial or operational audit. ITAF is applicable to any formal audit or assurance engagement.

ITAF applies to individuals who act in the capacity of IS audit and assurance professionals and are engaged in providing assurance over some components of IT systems, applications, and infrastructure. However, these standards, guidelines and IS audit and assurance procedures are designed in a manner that may also be useful, and provide benefits to, a wider audience, including users of IS audit and assurance reports.

  Download ITAF
  Standards, Guidelines, Tools and Techniques


All GRC professionals need to be proficient in their understanding of ITAF guidance.

EnterpriseGRC Solutions is particularly concerned with providing clients section 1205 evidence assurance.

1205 Evidence: Statements

  • 1205.1 IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the engagement results.
  • 1205.2 IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objectives.

Key Aspects In performing an engagement, IS audit and assurance professionals should:

  • Obtain sufficient and appropriate evidence, including:
    – The procedures as performed
    – The results of procedures performed
    – Source documents (in either electronic or paper format), records and corroborating information used to support the engagement
    – Findings and results of the engagement
    – Documentation that the work was performed and complies with applicable laws, regulations, and policies
  • Prepare documentation, which should be:
    – Retained and available for a time period and in a format that complies with the audit or assurance organization’s policies and relevant professional standards, laws, and regulations.
    – Protected from unauthorized disclosure or modification throughout its preparation and retention.
    – Properly disposed of at the end of the retention period.
  • Consider the sufficiency of the evidence to support the assessed level of control risk when obtaining evidence
    from a test of controls.
  • Appropriately identify, cross-reference and catalog evidence.
  • Consider properties such as the source, nature (e.g., written, oral, visual, electronic) and authenticity (e.g., digital and manual signatures, stamps) of the evidence when evaluating its reliability.
  • Consider the most cost-effective and timely means of gathering the necessary evidence to satisfy the objectives and risk of the engagement. However, difficulty or cost is not a valid basis for omitting a necessary procedure.
  • Select the most appropriate procedure to gather evidence depending on the subject matter being audited (i.e., its nature, timing of the audit, professional judgment). Procedures used to obtain the evidence include:
    – Inquiry and confirmation
    – Reperformance
    – Recalculation
    – Computation
    – Analytical procedures
    – Inspection
    – Observation
    – Other generally accepted methods
  • Consider the source and nature of any information obtained to evaluate its reliability and further verification requirements. In general terms, evidence reliability is greater when it is:
    – In written form, rather than oral expressions
    – Obtained from independent sources
    – Obtained by the professional rather than by the entity being audited
    – Certified by an independent party
    – Kept by an independent party
    – The result of inspection
    – The result of observation
  • Obtain objective evidence that is sufficient to enable a qualified independent party to reperform the tests and obtain the same results and conclusions.
  • Obtain evidence commensurate with the materiality of the item and the risk involved.
  • Place due emphasis on the accuracy and completeness of the information when information obtained from the enterprise is used by the IS audit or assurance professional to perform audit procedures.
  • Disclose any situation where sufficient evidence cannot be obtained in a manner consistent with the communication of the IS audit or assurance engagement results.
  • Secure evidence against unauthorized access and modification.
  • Retain evidence after completion of the IS audit or assurance work as long as necessary to comply with all
    applicable laws, regulations, and policies.