Information System

Auditing
Presented by Instructor Team

Agenda
1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls
3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
Backgrounds

1. Return on Investment & IT Business risks

– Significant portion of Company’s investment in
Information Technology
· Companies implement new system (ERP, e-Commerce) or
significant modification (changed business requirements)
· Will the business requirement be met by IT solutions ?
· Return on Investment ?

– Computer/EDP related errors and irregularities

· Incorrect processing/calculation, e.g. Billing systems, Phone
banking, Internet banking, etc.
· Discontinuity of IT function due to disaster, viruses etc..
· Computer Fraud
Backgrounds (cont’d)

2. Complex system & Assurance needs

– Highly integrated-computerized processing of
business transactions
· Needs to have certain level of understanding and assurance of
complex accounting transactions processing system.

– Introduction of new advanced technology

· e-Commerce, EDI (Electronic Data Interchange)
· SWIFT

– Audit evidence: electronic and hardcopy

evidence
· Use of password for authorization
· No print-out of transaction listing
Backgrounds (cont’d)

3. Quality and Career

– Maintain individual competitiveness (globalization)
– Focus and specialization in managing IT risk and
audit

4. Audit Requirements
– For External Auditor
• SA Seksi 314 Risk Assessment and internal control - consideration
and EDP characteristics
• SA Seksi 335 Auditing in EDP environment
– For Internal Auditor
• SPFAIB for Banking Industry
Definition: Information Systems Auditing

The process of collecting and evaluating evidence to

determine whether a Computer Systems (Information
Systems) safeguards assets, maintains data integrity,
allows organizational goals to be achieved effectively,
and uses resources efficiently.

(Ron Webber)
IS Audit Objectives

Asset Safeguarding
The assets of a computer installation include hardware, software, people,
data files, system documentation, and supplies must be protected by system
of internal control.

Data Integrity

Data integrity is a fundamental concept in IS auditing. It is a state implying

data has certain attributes: completeness, soundness, purity, veracity.

System Effectiveness and Efficiency

• Evaluating effectiveness implies knowledge of user needs.
• An efficient data processing system uses minimum resources to achieve
its required output.
 Information System Auditor vs Financial/Internal Auditor

Matters Information System Financial/Internal

Auditor Auditor
Standards General Accepted IT GAAP/SAS 78: Internal
Controls Principle (COBiT) Control

Auditee IT Division Mostly Finance &

Accounting Dept/All
Functions of Organization
Professional ISACA AICPA/IIA
Organization

Qualification CISA CPA/CIA

Career Objectives Chief Information Officer, Chief Financial Officer,

Consultants: Auditor/Advisor Head of Internal Audit
for Information Division
Systems/Technology Control
ISACA Information Systems Audit and Control Association
• Information Systems Audit and Control Association® (ISACA™) is a
recognized global leader in IT governance, control and assurance. ISACA
sponsors international conferences, administers the globally respected
CISA®
• Founded in 1969,
• Now more than 110,000 constituents in over 180 countries,
• Its members include internal and external auditors, CEOs, CFOs, CIOs,
educators, information security and control professionals, business
managers, students, and IT consultants
• Develops globally-applicable Information Systems (IS) Auditing and
Control Standards.
• Certify professionals with CISA (Certified Information Systems Auditor™)
• More than 103,000 have earned the CISA designation since its inception
in 1978.
 Information System
Auditing
Presented by Instructor Team

Agenda
1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls
3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
Specific Industry Application

• Banking (Internet and Mobile banking)

• Insurance (Agency Systems)
• Telecommunication (Billing systems)
• Oil and Gas (Purchasing and Inventory systems)
• Manufacturing (Product costing)
• Retail (Point Of sales)
Non Specific Industry Application

• Reporting Systems
• Call Center
• Enterprise Resource Planning
• Office Automation
• Cloud Computing
The Need for Control and IS Audit
Your business processes depend on the computer applications
and data that support them - so you need to be sure that your data
and systems are secure. Yet, all the time, rapid changes in
business and technology keep increasing your organization's
control and security challenges - and reducing your reaction time.’

Source: Ernst & Young website –www.ey.com

IT Business Risk

Although technology provides opportunities for

growth and development, it also represents
threats, such as disruption, deception, theft,
and fraud. Research shows that outside attackers
threaten organizations, yet trusted insiders are a
far greater threat.

IT controls are essential to protect assets, customers,

partners, and sensitive information; demonstrate safe,
efficient, and ethical behavior; and preserve brand,
reputation, and trust. In today’s global market and
regulatory environment, these things are too easy to
lose.
Information Security Risk

Unauthorized Information Unauthorized

disclosure theft Use

Confidentiality

Integrity
Availability

Unauthorized Security Unauthorized

modification destruction denial
Executives View about IT Risk and Control
1 Why should I understand IT Risk and Control?

Two words: assurance and reliability

22 What is to be protected?

Trust should be protected because it ensures

business efficiency

3 Where are IT controls applied?

Everywhere. IT includes technology

components, processes, people, organization,
and architecture, as well as the information
itself
Executives View (cont’d)

4 Who is responsible?

Everyone. However, control ownership and responsibilities

must be defined and disseminated by management.

25 When should IT risk and controls be assessed?

Always. IT is a rapidly changing environment that

promotes process and organizational change.

6 How much control is enough?

Management must decide based on risk

appetite, tolerance and mandatory regulations.
View of IT Controls
Information system auditors need to understand the range of controls
available for mitigating IT risks.

IT Governance Another View

General Control
The controls can be thought
General IT controls are
of as existing within a
hierarchy that relies on the typically pervasive
operating effectiveness in nature and are
interconnectivity of the addressed through various
audit avenues.
controls as well as the
realization that failure of a Application Control
set of controls can lead to
Application controls provide
increased reliance and
another category of controls
necessary examination of
and include controls within
other control groups
an application around input,
processing, and output.
IT Governance

• When addressing the topic of IT controls, an

important consideration is IT governance, which
provides the framework to ensure that IT can
support the organization’s overall business needs.
– IT Governance is not only composed of the control needed
to address identified risk but also is an integrated structure
of IT practices and personnel that must be aligned closely
with – and enable achievement of – the organization’s
overall strategies and goals.
IT Controls
Computer
Application Application
Controls Systems and
Program

INTERNAL
CONTROLS
Application
Systems
Development/
Changes
General
Controls
Computer
Service Center
(Operations
and Security)
IT Controls and Financial Reporting
 Information Technology
Risk and Controls
Information System Audit Course

Agenda
1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls
3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
Financial Audit Objective and External
Auditors’ Responsibility

• The primary objective of an audit of financial statement

is to express an opinion as to whether financial
statements are fairly presented, in all material respects,
at a specified date.
• It is external auditors’ responsibility to design the audit
engagement to provide reasonable assurance that the
financial statements are fairly stated in all material
respects.
When an IS Audit is or is not required?
• Importance to the client’s business activities: limited /
moderate / very important
• Complexity of the computer environment: simple /
moderate / complex
• Extend of use in the business: limited / moderate /
pervasive
• Overall classification: minor / significant / dominant
• An IS auditor will be involved if the overall classification
is significant or dominant.
• Does size of a company also determine the involvement
of an IS auditor?
SPAP* related to IS Audit
• SA 314: Penentuan Risiko dan Pengendalian Intern -
Pertimbangan dan Karakteristik Sistem Informasi
Komputer (SIK)
• SA 319: Pertimbangan atas Pengendalian Intern dalam
Audit Laporan Keuangan
• SA 324: Pelaporan atas Pengolahan Transaksi oleh
Organisasi Jasa
• SA 327: Teknik Audit Berbantuan Komputer
• SA 335: Auditing dalam Lingkungan SIK

• * SPAP = Standar Profesional Akuntan Publik (issued by Institut Akuntan Publik

Indonesia/IAPI)
Conclusion
• An IS audit is very relevant when external
auditors are engaged in auditing a client having
significant or dominant computer processing
environment(s).
• From external auditors’ point of view, an IS
audit will help them to determine whether
control assurance and substantive assurance
can be obtained in order to achieve effective
and efficient audit.
 Information System
Auditing
Presented by Instructor Team

Agenda
1. Introduction to Information System Auditing
2. Introduction to the Basis of IT-related Business Risks and Controls
3. Integration of Financial Audit and IS Audit
4. Application of IS Audit and Web Trust
Agenda 4: Application of IS Audit and Web Trust

Web Trust – Sys Trust Certification

Agenda 4: Application of IS Audit and Web Trust

Catatan
pemenuhan prinsip
WebTrust Defined

PROCESSING
INTEGRITY
Melalui Systrust
(lihat slide berikut)
Ernst &Young’s seal - Cyber Process Certification
Agenda 4: Application of IS Audit and Web Trust
Agenda 4: Application of IS Audit and Web Trust

Report of
Management
Contoh Penerapan WebTrust
Agenda 4: Application of IS Audit and Web Trust

Report of Independent Accountant

Report of
Independent
Accountants
Agenda 4: Application of IS Audit and Web Trust

Sertifikasi Pada Internet Banking

VeriSign
Certificate
 Agenda 4: Contoh Penerapan: Audit Laporan Keuangan & Web Trust

Sertifikasi Pada Internet Banking

Comparison of Seals

Transaction
Privacy of Security of Business Processing
Product Cost Data Data Policies Integrity
BBBOnline Low NO NO Lightly NO
Covered
TRUSTe Low YES NO NO NO
Veri-Sign Low to NO YES: Data NO NO
Medium Transmittal
NO: Data
Storage
ICSA High YES YES Somewhat Lightly
Covered Covered
WebTrust High YES YES YES YES
End of Presentation
Thank You.