Audit TI dan Tata Kelola Resiko

DTETI
2018
 Introduction

• Definition
“Examine carefully for accuracy with the intent of verification”
“A methodical examination or review of a condition or situation”

• Why Audit?
• Who?

System Management

Informasi Informasi System

Organization
Management

Linked System Internal System

 IS/IT Audit

• Information Systems (IS)

– Involve more than just computers
– Success application requires understanding
• Business
• Environment
• Computer-Based Information Systems (CBIS)
– Computer utilization (hardware/software/database/network)
– Technology to perform tasks (procedures/people/etc)

• Collection of IS and often times interchangeable in terminology with Information

Technology (IT)
 IT Audit
• Independent review and examination of records and activities to assess the
adequacy of internal controls, to ensure compliance with established policies and
operational procedures, and to recommend necessary changes in controls,
policies, or procedures
• The process of collecting and evaluating evidence to determine whether computer
system safeguards assets, maintain data availability/integrity/confidentiality,
achieves organisational goals effectively and consumes resources effectively.
– involves evaluating the computer’s role in achieving
• audit objectives
• control objectives
– means proving data and information are
• reliable
• confidential
• secure
• available
– includes attest objectives like
• safeguarding of assets and data integrity,
• operational effectiveness

• Auditors are guided in their professional responsibility by the generally
accepted auditing standards (GAAS)
Generally Accepted Auditing Standards
General Standards
The auditor must have adequate
technical training and proficiency to
perform the audit.
The auditor must maintain
independence in mental attitude in
all matters related to the audit.
The auditor must use due
professional care during the
performance of the audit and the
preparation of the report.
Standards
Standards of Field Work
Audit work must be adequately
planned
The auditor must gain a sufficient
understanding of the internal control
structure
The auditor must obtain sufficient,
competent evidence
Standards of Reporting
The auditor must state in the
auditor's report whether the
financial statements are presented
in accordance with generally
accepted accounting principles.
The report must identify those
circumstances in which generally
accepted accounting principles were
not applied
The report must identify any items
that do not have adequate
informative disclosures
The report shall contain an
expression of the auditor’s opinion
on the financial statements as a
whole
 Auditing Aims

Internal
• Responsibility of Performance
– Company’s own employees
– External of the department being audited
• Audit Purpose
– Employee compliance with policies and procedures
– Development and evaluation of internal controls
External
• Responsibility of Performance
– Those outside the organization
– Accountants working for independent CPA
• Audit Purpose
– Performance of the attest function
– Evaluate the accuracy and fairness of the financial statements relative to
GAAP
 Audit Type
Internal audit External audit
• company personnel reporting to • Independent
• evaluate the risks
– top management and/or
– the integrity of accounting data
– the Audit Committee of the Board of • make recommendations
Directors – to managers
• external to the corporate department or – to improve these controls
division being audited • conducted in the context of GAAP
• concerns employee adherence to • check if financial statements
– company policies and procedures, – are free of erroneous materials
evaluation of internal controls – do not contain fraudulent
misstatements
• relatively broad in scope, including • includes a variety of assurance services
– auditing for fraud,
– ensuring that employees are not
copying software programs illegally
• provide assurance to a company’s top
management about
– the efficiency of its organization and
– effectiveness of its organization
 IT Audit Function
Elements
Scope 1. Physical and Environmental
2. System Administration
3. Application Software
4. Application Development
5. Network Security
6. Business Continuity
7. Data Integrity

Objectives
Improved Data
Integrity

Safeguarding of IT/IS Improved

Assets Audit System
Effectiveness

Improved
System
Efficiency
 Policies, Standards,
Guidelines, and Procedures
Organizations typically Policy
• Provide emphasis
have four types of • Sets directions
documents in place: • Signed by management
authority
– Policy
– Standard
Standard
– Guideline • Specifies uniform method Change control process
of support for policy to review and revise
– Procedure • Compliance as mandatory

Guideline
• Suggested actions to consider in
absence of applicable standard
• Discretionary usage
• Can be used to create new standard

Procedure
• Step-by-step instruction to perform Ineffective
desired actions Result?
• Provides support for standard
• Compliance is mandatory
 IT Governance

• The process for controlling an organization’s IT resources, including

information and communication systems, and technology.
• The utilization of IT is to promote an organization’s objectives and enable
business processes and to manage and control IT related risks.

• General Controls
– The concept is relatively new
– Ensuring that effective IT management and security principles, policies and
processes with appropriate compliance measurement tools are in place
– Require an active audit committee
• Control Objectives for Information and Related Technology/COBIT Guideline
– Identifies critical success factors, key goal and performance indicators, and an
IT governance maturity model.
– IT governance framework begins with setting IT objectives and measures and
compares performance against them
– Assessing business risks,
– Controlling for business risks, and
– Evaluating the effectiveness of controls
 Controls Hierarchy

• General and Application of

Information Technology Governance
Policies

IT Standards

Management
Management and
Organization

Physical and Environmental

Controls

Systems Software Controls

Technical
Systems Development Controls

Application – based controls

 Auditing Structure

CEO/CIO Financial Auditor

Board Audit
Committee Support for Financial Auditors

Application Information Systems

Auditor
Head of Audit
Dept Database

Middleware

Head of IT Head of Non- IT Auditor Operating System

Audit IT Audit
Network Intra

Physical Facility
IT Audit Team Non-IT Audit
Members Entity-Level Controls
Team Members
 IT Auditors Specialist

Member of Enterprise Audit Organization

• Follows and adhere standards and principles of Institute of Internal Auditors
(IIA) and Information Systems Audit and Control Association (ISACA)
Professional Certification
• Certified Information Systems Auditor CISA certification
– by completing an examination given by ISACA
– meeting specific experience requirements
– complying with a Code of Professional Ethics
– undergoing continuing professional education
– complying with the Information Systems Auditing Standards
• Certified Information Security Managers (CISM)
– granted by ISACA
– evaluates knowledge
• in information security governance
• information security program management
• risk management
• information security management
• response management.
 Auditors Must Have

• Knowledge, skill and abilities

– Knowledge of auditing, IS and network security
– Investigation and process flow analysis skills
– Interpersonal/human relation skills
– Verbal and written communications skills
– Ability to exercise good judgment
– Ability to maintain confidentiality
– Ability to use IT desktop office tools, vulnerability analysis tools, and other IT
tools
• Many of the audit steps are nontechnical
– Ability to work in a team and other auditors
– Ability to interact with clients and require strong interpersonal relationships
– Will need to interview the CIO
 Auditors Roles and Responsibilities

• Ensure IT governance by assessing risks and monitoring controls over those risks
• Works as either internal or external auditor
• Works on many kind of audit engagements
• Reviewing and assessing enterprise management controls
• Review and perform test of enterprise internal controls
• Report to management
• Job Tasks
– Design a technology-based audit approaches; analyzes and evaluates
enterprise IT processes
– Works independently or in a team to review enterprise IT controls
– Examines the effectiveness of the information security policies and procedures
– Develops and presents training workshops for audit staff
– Conduct and oversees investigation of inappropriate computer use
– Performs special projects and other duties as assigned
 Financial vs IT Audit
Develop an
• IT auditors may work on financial understanding and
perform preliminary
audit engagements audit work
• IT auditors may work on every step of
the financial audit engagement Develop audit plan
• Standards, such as SAS No. 94, guide
Evaluate the internal
the work of IT auditors on financial control system
audit engagements
• IT audit work on financial audit Determine degree of
reliance on internal
engagements is likely to increase as controls
internal control evaluation becomes
more important Perform substantive
testing

Review work and

issue audit report

The Role of IT Auditors in the Financial Audit Process

Conduct follow-up
work
 Effective IT Audit

• Early involvement
• Informal audits
• Knowledge sharing
• Self-assessments
 Computers Roles on Internal Controls

• Separation of duties
• Delegation of authority and responsibility
• Competent and trustworthy personnel
• System of authorizations
• Adequate documents and records
• Physical control over asset and records
• Adequate management supervision
• Independent check on performance
• Comparing recorded accountability with assets