ISACA releases the new IT Audit Framework

ISACA has published the 5th Edition of the IT Audit Framework, a major refresh that aligns IT audit with how technology (and risk) actually look today: cloud ecosystems, AI/ML, automation, third-party dependence, and rising expectations for digital trust.

ISACA also highlights that adherence to ITAF is a requirement for CISA certified professionals, which makes this update especially relevant for the global audit community.

Photo: Freepik

ITAF has always provided structure for planning, performing and reporting IT audit work. What changed is the environment:

➡️ IT is no longer a closed perimeter, it’s a digital ecosystem across cloud/SaaS/APIs/third parties.

➡️ Audit teams are expected to deliver faster insights, use analytics, and operate closer to the business.

➡️ Emerging tech introduces new risk patterns that don’t fit “traditional control checklists.”

ITAF 5 is a response to that reality, modernizing terminology, scope, and practical guidance.

ISACA summarizes key updates in four themes:

Modernized content and scope

ITAF 5 updates definitions and examples to reflect modern technologies like cloud computing, AI /ML, and business automation, moving beyond the older “traditional IT controls” focus.

Digital trust and emerging technology integration

Digital trust concepts are woven through the audit lifecycle, and the framework adds guidance for AI/ML auditing, aligned with ISACA’s broader AI audit resources.

More practical and usable for organizations of all sizes

ISACA explicitly calls out improved clarity, more practical language, and better usability.

Broader audit practices and governance expectations

The scope expands to include data analytics, agile auditing, continuous assurance, and AI governance, plus stronger expectations around transparency and oversight of automated systems.

What’s inside

ITAF 5 keeps a clear structure: Standards (mandatory), Guidelines (recommended), and Tools & Techniques, with Standards grouped into:

➡️ General Standards (1000 series): ethics, independence, objectivity, due care, proficiency, criteria, assertions

➡️ Performance Standards (1200 series): planning, risk assessment, evidence, supervision, use of experts, irregularities

➡️Reporting Standards (1400 series): reporting and follow-up

Companion guidance

Alongside ITAF 5, ISACA also updated companion guidance, including Performance Guidelines 2208: Information Technology Audit Sampling.

This is very practical in 2026 reality: massive logs, cloud events, identity records, CI/CD pipelines, and a constant push toward data-driven assurance. The guidance explicitly discusses statistical, nonstatistical, data-driven (analytics-enabled) and hybrid sampling approaches, and even addresses when sampling is inappropriate.

Link

Author: Sebastian Burgemejster