Professional Documents
Culture Documents
Learning Objectives
1. 2. 3. 4. 5. 6. 7.
Definition of IS Audit Steps in Conducting an Audit Due Professional Care Management of the IS Audit Function Risk Analysis Internal Control Performing an IS Audit
Objectives of IS Auditing
y y y y
Planning the audit Tests of controls Tests of transactions Tests of balances of overall results Completion of the audit
5
Standar Audit
PSA No.57 Audit dalam lingkungan sistem berbasis komputer PSA No.59 Teknik audit berbantuan komputer PSA No.63 PSA No.64 online Lingkungan sistem informasi komputer Lingkungan sistem informasi komputer secara
y y y
ISACA
y
Audit chapter : Responsibility, authority, and accountability Independence Professional independence Organizational relationship Professional ethics and standards Code of professional ethics Due professional care Competence Continuing professional education
ISACA (cont)
y
Planning Audit planning Performance of audit work Supervision Evidence Reporting Report content and form Follow up activities Follow up
9
CObIT Guidelines
y
10
Organization of the IS Audit Function IS Audit Resource Management Audit Planning Effect of Laws and Regulations on IS Audit Planning
11
IS audit services can be provided externally or internally If internally : The role should be established by an audit charter Can be part of internal audit, function as an independent or integrated group within financial and operational audit The charter should clearly state managements responsibility, objectives, and authority
12
If externally : The scope and objectives of these services should be documented in a formal contract or statement of work between the contracting organization and the service provider Should be independent and report to an audit committee, if available, or to the highest management level such as the board of directors
13
Maintain their competency through updates of existing skills and obtain training directed toward new audit techniques and technological areas Having the skills and knowledge necessary to perform the auditor's work Maintain technical competence through appropriate continuing professional education IS audit management should also provide the necessary IT resources to properly perform IS audits of a highly specialized nature 14
Audit Planning
y
Consists of both short- and long-term planning Analysis of short- and long-term issues should occur at least annually, for : New control issues; Changes in the risk environment, technologies and business processes; and Enhanced evaluation techniques The results reviewed by senior audit management and approved by the audit committee, if available, or alternatively by the board of directors and communicated to relevant levels of management.
15
Each individual audit assignment must be adequately planned, Steps to perform audit planning : Gain an understanding of the business Identify policies, standards and required guidelines, procedures, and organization structure Perform a risk analysis Set the audit scope and audit objectives Develop audit strategy Assign personnel resources Address engagement logistics
16
Business regulations can impact the way data are processed, transmitted and stored IS auditors should review management's privacy policy to ascertain whether it takes into account the requirements of applicable privacy laws and regulations Two major areas of concern: Legal requirements (laws, regulatory and contractual agreements) placed on audit or IS audit, and Legal requirements placed on the auditee and its systems, data management, reporting, etc
17
Risk Analysis
y
Risk analysis is part of audit planning and help to determine the controls needed to mitigate the risks Must have knowledge of common business risks, related technology risks and relevant controls. Must also be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan audit work
18
The risk assessment process : Identifying business objectives, information assets, and the underlying systems or information resources Identify threats and determine the probability of occurrence, and the resulting impact and additional safeguards Identify controls for mitigating identified risks Cost-benefit analysis : The cost of the control compared to the benefit Management's appetite for risk Preferred risk-reduction methods
19
Purposes of risk analysis from IS auditors perspective : Assists the IS auditor in identifying risks and threats Helps the IS auditor in his/her evaluation of controls in audit planning Assists the IS auditor in determining audit objectives Supports risk-based audit decision making
20
Internal Controls
y
Normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risks to the organization Controls :
Preventive Detective Corrective
21
Internal accounting controls Primarily directed at accounting operations such as the safeguarding of assets and the reliability of financial records. Operational controls Directed at day-to-day operations, functions and activities to ensure that the operation is meeting the business objectives Administrative controls Concerned with operational efficiency in a functional area and adherence to management policies including operational controls
22
Ensuring availability of IT services by developing efficient business continuity (BCP) and disaster recovery plans (DRP) Enhancing protection of data and systems by developing an incident response plan Ensuring integrity and reliability of systems by implementing effective change management procedures
23
IS Control Objectives
y
Safeguarding assets Ensuring integrity of general operating system (OS) environments Ensuring integrity of sensitive and critical application system environments Ensuring appropriate identification and authentication of users of IS resources
Supports IT governance by : Ensure that IT is aligned with the business IT resources are used responsibly IT risks are managed appropriately 4 domains : Plan & Organize identification and strategy on IT Investment Acquire & Implement integrated realization on IT planning and application Deliver & Support IT support on business operation Monitor & Evaluate scheduled evaluation on IT process
25
IS Control Procedures
y y y y
Strategy and direction General organization and management Access to IT resources, including data and programs Systems development methodologies and change control
y y
26
IS Control Procedures
y y y
Quality assurance (QA) procedures Physical access controls Business continuity (BCP)/disaster recovery planning (DRP)
y y y
Networks and communications Database administration Protection and detective mechanisms against internal and external attacks
27
Performing an IS Audit
y y y y y y y y
Classification of Audits Audit Programs Audit Methodology Audit Risk and Materiality Risk Assessment and Treatment Risk Assessment Techniques Audit Objectives Compliance VS Substantive Testing
28
Performing an IS Audit
y y y y y y y y
Evidence Interviewing and Observing Personnel in Action Sampling Computer-Assisted Audit Techniques Evaluation of Audit Strengths and Weaknesses Communicating Audit Results Management Implementation of Recommendations Audit Documentation
29
Describe and give an example for each steps on performing an IS audit You can search internet or other sources for help you
30