The Institute of Chartered Accountants of India has released an exposure draft of the Information Systems Audit Standards proposing a comprehensive, principle-based framework that sets out minimum requirements for information systems audit engagements, including planning, execution, reporting and quality control.
The draft, issued by the Digital Accounting and Assurance Board, seeks to formally define the scope, expectations and accountability framework for information systems audits in India, as digital systems and cybersecurity risks increasingly influence corporate governance, regulatory supervision and financial reporting reliability. The standards have been placed in the public domain for stakeholder comments.
The ISAS seek to provide the professional, the users of IS audit services and regulators with an appreciation of what can be expected from such engagementsThe exposure draft said.
Draft seeks to standardise IS audit practices
The exposure draft notes that while information systems audits have become critical across sectors, practices remain uneven, with no single authoritative standard prescribing how such audits should be conducted and reported.
To address this gap, the proposed ISAS are intended to establish a uniform and structured standard-setting framework, similar to financial audit standards, but tailored to the unique risks of digital systems.
“The standards provide the minimum requirements to be complied with in an information systems audit engagement,” the draft said, underlining that ISAS are meant to act as baseline professional obligations rather than optional guidance.
Principle-based standards, not checklist-driven
ICAI has adopted a principle-based approach rather than a prescriptive, rule-based model. The draft explains that this approach is designed to allow professional judgement while ensuring consistent quality outcomes.
The ISAS are principle-based and provide a framework within which professional judgement is exercised to achieve quality outcomesThe exposure draft said.
This approach reflects the dynamic nature of technology environments, where rigid procedures may quickly become obsolete.Four-part framework proposed
The draft outlines a structured ISAS framework comprising basic principles of information systems audit, key concepts, information systems audit standards and guidance.
According to the draft, the framework is intended to ensure consistent application of information systems audit standards and achievement of quality outcomes across engagements.
Nine basic principles to govern all IS audits
At the core of the proposed standards are nine basic principles that will apply to all information systems audit engagements. These include independence, integrity, objectivity, due professional care, confidentiality, professional competence, effective communication and commitment to quality.
“These basic principles apply to all information systems audit engagements and are fundamental to achieving reliable audit outcomes,” the draft said.
The principles mirror foundational audit ethics while recognising the distinct challenges posed by digital infrastructure, data security and cyber risk.
Clear reporting and disclosure obligations proposed
A key feature of the draft is its emphasis on reporting discipline and transparency. Where an auditor is unable to comply with any requirement of an ISAS, the draft mandates explicit disclosure.
In case of non-compliance with any of the requirements of the ISAS, the information systems auditor shall disclose such departure and the reasons thereofThe exposure draft said.
This provision is intended to strengthen accountability and allow users of audit reports to clearly understand the scope and limitations of the engagement.
DAAB designated as ISAS standard-setter
The exposure draft formally designates the Digital Accounting and Assurance Board as the standard-setting authority for ISAS. The board is tasked with reviewing existing practices, identifying areas requiring standardisation and issuing new or revised standards as required.
“Given the pace of digital transformation and the evolving information systems and cybersecurity landscape, a continuous ISAS development process is necessitated,” the draft said.
Multi-stage standard-setting process outlined
The draft details a six-stage standard-setting process covering identification of topics and timelines, formation of study groups, drafting of standards, public exposure for comments, review of feedback and finalisation with approval by the ICAI Council.
The process includes consultations with regulators and institutions such as the Reserve Bank of India, the Securities and Exchange Board of India, CERT-In, the Ministry of Finance and other government bodies, reflecting the regulatory importance of information systems assurance.
Standards may be made mandatory in phases
Once finalised, the exposure draft notes that ISAS may be made mandatory, either fully or in a phased manner, subject to a decision by the ICAI Council.
“The standards may be made mandatory in a phased manner, as decided by the Council,” the draft said.
Mandatory adoption would significantly alter the IS audit landscape by converting what has largely been a best-practice exercise into a formal compliance framework.
Public comments invited
The exposure draft has been placed in the public domain for stakeholder comments, following which the standards will be revised and placed before the ICAI Council for final approval.
Once notified, the ISAS will provide India with its first formal, standardised framework for information systems audits, setting expectations on minimum requirements, quality benchmarks and reporting obligations in an increasingly digital economy.
