ISACA Standards, the Ethics Code, and the IS-audit tripod
Opening — the day Leo had to defend his signature
Leo, senior IS auditor in a mid-size European bank (8,200 staff, €2.1bn net banking income), has just signed an adverse conclusion on the outsourcing of the core-banking platform to a cloud provider. The Head of Operations blows up in the steering committee: "On what basis? Who gave you authority to block a 40-million-euro programme?" The room tightens. The programme sponsor stares at her phone. The CIO — Leo's quiet ally — says nothing. He observes.
What Leo will answer in the next 90 seconds does not rest on instinct. It rests on three pieces every CISA candidate should have taped to the office wall: the ISACA Standards, the Code of Ethics, and the formal mandate of the IS-audit function. That tripod — not talent — is what makes a signature unassailable.
The ISACA normative tripod
ISACA publishes a framework structured around three levels of authority. You will see this distinction appear in roughly one question in three on the exam.
| Level | Status | Consequence of non-compliance |
|---|---|---|
| Standards (1001-1402) | Mandatory | Professional misconduct · revocation possible |
| Guidelines | Recommended | Must justify any deviation |
| Tools and Techniques | Informational | None |
Standards are grouped into three families:
- General (1001-1008) — ethics, independence, competence, due care
- Performance (1201-1207) — risk, planning, execution, supervision
- Reporting (1401-1402) — communication of results, follow-up of actions
Organisational independence — Standard 1002
Standard 1002 requires the IS-audit function to be structurally independent from the area being audited. Not in speech, in the org chart. Leo can sign a conclusion against IT because he reports to the Audit Committee of the Board, not to the CIO. The Head of Ops can shout — he has no authority over Leo's career.
Three independence tests the exam loves
- Hierarchical — does the auditor report to someone they may have to audit? (If yes, problem.)
- Economic — does their pay depend on the conclusion? (Bonus tied to the audited project's go-live = NO-GO.)
- Cognitive — did they help design the control? (If yes, they are evaluating their own work.)
Code of Ethics — seven provisions, four tested
The ISACA Code of Ethics has seven clauses. On the exam, four dominate judgment questions:
- Support the implementation of standards
- Maintain confidentiality of information obtained
- Serve with diligence and competence
- Refrain from activities that are illegal or harmful to the profession
How Leo closed the incident
Leo laid down three sentences:
"My signature engages ISACA Standard 1401 on the communication of material deficiencies. The standard requires timely and complete notification to the audit committee. If you want to challenge the conclusion, here is the evidence file — 187 controls tested, 14 material deficiencies documented."
The Head of Ops sat down. The CIO smiled internally. The adverse conclusion held — and three months later, the programme was restructured on the very axes Leo had flagged.
Key takeaways
- Normative tripod: Standards (mandatory) > Guidelines (recommended) > Tools (informational).
- Independence: org chart, economic, cognitive — all three tests must pass.
- Reporting: standard 1401 mandates timely, complete communication of material deficiencies to governance.
- Code of Ethics: the right answer to a judgment question is the ethical one, not the most efficient.
Preview of one chapter. Each cert includes 100+ narrative chapters with callouts, comparison tables and inline AuditBot.