Pengenalan Konsep Pemeriksaan Sistem Informasi

Learning Objectives
1. 2. 3. 4. 5. 6. 7.

Definition of IS Audit Steps in Conducting an Audit Due Professional Care Management of the IS Audit Function Risk Analysis Internal Control Performing an IS Audit

Definition by Ron Weber

IS Audit is the process of collecting and evaluating evidence to determine whether computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently

Objectives of IS Auditing
y y y y

Asset safeguarding Data integrity System effectiveness System efficiency

Steps in Conducting an Audit

y y y y y

Planning the audit Tests of controls Tests of transactions Tests of balances of overall results Completion of the audit
5

Due Professional Care

y y y

Attestation and PSAP Standard ISACA CObIT

Attestation and PSAP Standard

y y

Standar Audit

Umum, pekerjaan lapangan, pelaporan

PSA No.57 Audit dalam lingkungan sistem berbasis komputer PSA No.59 Teknik audit berbantuan komputer PSA No.63 PSA No.64 online Lingkungan sistem informasi komputer Lingkungan sistem informasi komputer secara

y y y

PSA No.65 Lingkungan sistem informasi komputer dengan sistem database

7

ISACA
y

Audit chapter : Responsibility, authority, and accountability Independence Professional independence Organizational relationship Professional ethics and standards Code of professional ethics Due professional care Competence Continuing professional education

ISACA (cont)
y

Planning Audit planning Performance of audit work Supervision Evidence Reporting Report content and form Follow up activities Follow up
9

CObIT Guidelines
y

Control objectives Audit guidelines Management guidelines

10

Management of the IS Audit Function

y y y y

Organization of the IS Audit Function IS Audit Resource Management Audit Planning Effect of Laws and Regulations on IS Audit Planning

11

Organization of the IS Audit Function

y

IS audit services can be provided externally or internally If internally : The role should be established by an audit charter Can be part of internal audit, function as an independent or integrated group within financial and operational audit The charter should clearly state managements responsibility, objectives, and authority
12

Organization of the IS Audit Function

y

If externally : The scope and objectives of these services should be documented in a formal contract or statement of work between the contracting organization and the service provider Should be independent and report to an audit committee, if available, or to the highest management level such as the board of directors

13

IS Audit Resource Management

y

Maintain their competency through updates of existing skills and obtain training directed toward new audit techniques and technological areas Having the skills and knowledge necessary to perform the auditor's work Maintain technical competence through appropriate continuing professional education IS audit management should also provide the necessary IT resources to properly perform IS audits of a highly specialized nature 14

Audit Planning
y

Consists of both short- and long-term planning Analysis of short- and long-term issues should occur at least annually, for : New control issues; Changes in the risk environment, technologies and business processes; and Enhanced evaluation techniques The results reviewed by senior audit management and approved by the audit committee, if available, or alternatively by the board of directors and communicated to relevant levels of management.
15

Audit Planning (cont)

y

Each individual audit assignment must be adequately planned, Steps to perform audit planning : Gain an understanding of the business Identify policies, standards and required guidelines, procedures, and organization structure Perform a risk analysis Set the audit scope and audit objectives Develop audit strategy Assign personnel resources Address engagement logistics

16

Effect of Laws and Regulations on IS Audit Planning

y

Business regulations can impact the way data are processed, transmitted and stored IS auditors should review management's privacy policy to ascertain whether it takes into account the requirements of applicable privacy laws and regulations Two major areas of concern: Legal requirements (laws, regulatory and contractual agreements) placed on audit or IS audit, and Legal requirements placed on the auditee and its systems, data management, reporting, etc
17

Risk Analysis
y

Risk analysis is part of audit planning and help to determine the controls needed to mitigate the risks Must have knowledge of common business risks, related technology risks and relevant controls. Must also be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan audit work

18

Risk Analysis (cont)

y

The risk assessment process : Identifying business objectives, information assets, and the underlying systems or information resources Identify threats and determine the probability of occurrence, and the resulting impact and additional safeguards Identify controls for mitigating identified risks Cost-benefit analysis : The cost of the control compared to the benefit Management's appetite for risk Preferred risk-reduction methods
19

Risk Analysis (cont)

y

Purposes of risk analysis from IS auditors perspective : Assists the IS auditor in identifying risks and threats Helps the IS auditor in his/her evaluation of controls in audit planning Assists the IS auditor in determining audit objectives Supports risk-based audit decision making

20

Internal Controls
y

Normally composed of policies, procedures, practices and organizational structures which are implemented to reduce risks to the organization Controls :
Preventive Detective Corrective
21

Internal Control Objectives

y

Internal accounting controls Primarily directed at accounting operations such as the safeguarding of assets and the reliability of financial records. Operational controls Directed at day-to-day operations, functions and activities to ensure that the operation is meeting the business objectives Administrative controls Concerned with operational efficiency in a functional area and adherence to management policies including operational controls
22

IS Control Objectives (cont)

y

Ensuring availability of IT services by developing efficient business continuity (BCP) and disaster recovery plans (DRP) Enhancing protection of data and systems by developing an incident response plan Ensuring integrity and reliability of systems by implementing effective change management procedures

23

IS Control Objectives
y

Safeguarding assets Ensuring integrity of general operating system (OS) environments Ensuring integrity of sensitive and critical application system environments Ensuring appropriate identification and authentication of users of IS resources

Ensuring the efficiency and effectiveness of operations

24

Control Objectives for Information and Related Technology (CObIT) (CObIT)

y

Supports IT governance by : Ensure that IT is aligned with the business IT resources are used responsibly IT risks are managed appropriately 4 domains : Plan & Organize identification and strategy on IT Investment Acquire & Implement integrated realization on IT planning and application Deliver & Support IT support on business operation Monitor & Evaluate scheduled evaluation on IT process
25

IS Control Procedures
y y y y

Strategy and direction General organization and management Access to IT resources, including data and programs Systems development methodologies and change control

y y

Operations procedures Systems programming and technical support functions

26

IS Control Procedures
y y y

Quality assurance (QA) procedures Physical access controls Business continuity (BCP)/disaster recovery planning (DRP)

y y y

Networks and communications Database administration Protection and detective mechanisms against internal and external attacks
27

Performing an IS Audit
y y y y y y y y

Classification of Audits Audit Programs Audit Methodology Audit Risk and Materiality Risk Assessment and Treatment Risk Assessment Techniques Audit Objectives Compliance VS Substantive Testing
28

Performing an IS Audit
y y y y y y y y

Evidence Interviewing and Observing Personnel in Action Sampling Computer-Assisted Audit Techniques Evaluation of Audit Strengths and Weaknesses Communicating Audit Results Management Implementation of Recommendations Audit Documentation
29

Assignment for Students

y

Describe and give an example for each steps on performing an IS audit You can search internet or other sources for help you

30