View
227
Download
0
Category
Preview:
Citation preview
8/13/2019 Session 04 - GCR 1
1/31
21 September 2013
Session
IT General Controls
Part 1
8/13/2019 Session 04 - GCR 1
2/31
21 September 2013
IS Audit Syllabus
1. Introduction of IS Audit
2. IT Environment
3. IT Process
4. General Computer Control Review (1)
5. General Computer Control Review (2)
6. General Computer Control Case Study
7. Application Control Review
8. Data Analysis Approach
9. IT Audit Integration
10. IT Security11. IT Risk Management & IT Governance
12. ERP Systems
8/13/2019 Session 04 - GCR 1
3/31
21 September 2013
Gain an understanding of the IT General
Controls
Understand what are included in the IT
General Controls
Module Objectives
8/13/2019 Session 04 - GCR 1
4/31
21 September 2013
PART 1
Overview
IT planning and organization
Change management
PART 2
Physical security
Logical access controls
Back-up, recovery and contingency
Agenda
8/13/2019 Session 04 - GCR 1
5/31
21 September 2013
268 272 (5)7. Security management ControlsBack- up, recovery and
contingency
378 391 (13)10. Boundary ControlsLogical Access Security
244 266 (32)7. Security management ControlsPhysical Security
105 137 (36)
160 185 (26)
4. System Development Management
Controls
5. Programming Management Controls
Change Management
72 83 (12)
86 90 (5)
3. Top Management ControlsManagement and
organization
PAGESCHAPTERTOPIC
Study Guide in Book of Weber
8/13/2019 Session 04 - GCR 1
6/31
21 September 2013
Overview
8/13/2019 Session 04 - GCR 1
7/31
8/13/2019 Session 04 - GCR 1
8/31
21 September 2013
Pengendalian Dalam SIK PSA 60 SA 314
- Karakteristik SIK
Karakteristik Organisasi
Pemusatan fungsi & pengetahuan
Pemusatan program dan data-data
transaksiKarakteristik Sistem
Tidak adanya dokumen input data
Tidak adanya transaction trailOutput tidak kasat mata
8/13/2019 Session 04 - GCR 1
9/31
21 September 2013
Desain dan Prosedur
Kinerja yang konsisten
Prosedur pengendalian terprogram
Pemutakhiran transaksi tunggal ke database
file
Terdapat transaksi yang ditimbulkan oleh
sistem
Rentannya media penyimpanan data
transaksi dari kerusakan fisik maupun
program
Pengendalian Dalam SIK PSA 60 SA 314
- Karakteristik SIK
8/13/2019 Session 04 - GCR 1
10/31
21 September 2013
Pengendalian Intern dalam SIK
Prosedur pengendalian manualkomputer terdiri atas
Pengendalian menyeluruh yang
berdampak terhadap lingkunganSIK (pengendalian umum SIK), dan
Pengendalian khusus atas aplikasi
akuntansi (pengendalian aplikasiSIK).
8/13/2019 Session 04 - GCR 1
11/31
21 September 2013
General Controls - SA 314
Tujuan : membuat rerangka pengendalian
menyeluruh atas aktivitas SIK dan untuk
memberikan tingkat keyakinan memadai
bahwa tujuan pengendalian intern secarakeseluruhan dapat tercapai.
8/13/2019 Session 04 - GCR 1
12/31
21 September 2013
General Controls Element
Pengendalian Umum meliputi :
Pengendalian organisasi dan manajemen
Pengendalian terhadap pengembangan danpemeliharaan sistem aplikasi
Pengendalian terhadap sistem operasi
Pengendalian terhadap sistem software
Pengendalian terhadap entry data danprogram
Back up and recovery
8/13/2019 Session 04 - GCR 1
13/31
21 September 2013
Pengendalian organisasi dan
manajemen
Didesain untuk menciptakan rerangkaorganisasi aktivitas SIK,
Pengendalian operasi dan manajemenmeliputi :
Kebijakan dan prosedur yang berkaitandengan fungsi pengendalian.
Pemisahan semestinya fungsi yang tidaksejalan (seperti penyiapan transaksi
masukan, pemrograman, dan operasikomputer).
8/13/2019 Session 04 - GCR 1
14/31
21 September 2013
Pengendalian terhadap pengembangan
dan pemeliharaan sistem aplikasi
Didesain untuk memberikan keyakinan memadaibahwa sistem dikembangkan dan dipelihara dalamsuatu cara yang efisien dan melalui proses otorisasisemestinya.
Pengendalian ini juga didesain untuk menciptakan
pengendalian atas:
Pengujian, perubahan, implementasi, dandokumentasi sistem baru atau sistem yang direvisi.
Perubahan terhadap sistem aplikasi.
Akses terhadap dokumentasi sistem.
Pemerolehan sistem aplikasi dan listing programdari pihak ketiga.
8/13/2019 Session 04 - GCR 1
15/31
21 September 2013
Pengendalian terhadap sistem
operasi
didesain untuk mengendalikan operasisistem dan untuk memberikan keyakinanmemadai bahwa: Sistem digunakan hanya untuk tujuan yang telah
diotorisasi. Akses ke operasi komputer dibatasi hanya bagi
karyawan yang telah mendapat otorisasi.
Hanya program yang telah diotorisasi yangdigunakan.
Kekeliruan pengolahan dapat dideteksi dandikoreksi.
8/13/2019 Session 04 - GCR 1
16/31
21 September 2013
General Control Illustration
Production
Input
Process
Output
TestingDevelopment
Logical Access Control
SecurityType title here
Administra torType title here
ProgrammerType title here
IT manager
Policy and Standard Operating Procedures
BCP, Backup and Recovery, Contingency Site
Physical Access ControlProgram Change Control
8/13/2019 Session 04 - GCR 1
17/31
21 September 2013
IT Planning and Organization
8/13/2019 Session 04 - GCR 1
18/31
21 September 2013
Organization
Organizational controls ensure thealignment of IT facilities with the business needs
and the proper management of these facilities.
Definition
Planning and budgeting
Quality and quantity of staff
Segregation of duties or close supervision Efficient use of IT
Procedures and documentation
Keycontrols
IT does not support business needs
Loss of efficiency, untimely problem solving, unsatisfied staff,
no improvements Unwanted combination of functions
Untimely management reporting
High dependence on one/few persons
Keyrisks
8/13/2019 Session 04 - GCR 1
19/31
21 September 2013
Strategic Plan (3-5 years)
Current information assessment
Strategic directions
Development strategy
Operational Plan (1-3 years)
Progress reports
Initiative to be undertaken
Implementation schedule
Type of IT Plan
8/13/2019 Session 04 - GCR 1
20/31
21 September 2013
IT Plan Review
Auditors evaluate whether top managementhas formulated a high-quality informationsystems plan appropriate to the needs of theirorganization.
Example of risks caused by poor planning: declining efficiency and effectiveness of IT
functions,
insufficient resources to provide the required ITfunctions / availability,
going concern issues and lack of competitive
advantages.
8/13/2019 Session 04 - GCR 1
21/31
21 September 2013
Organizational issues
Position of IT department in organization
Planning and reporting
Centralization or decentralization of tasks
Functions and task descriptions of IT staff Quality and quantity of staff
Cost center, Profit center, Investment
center and Hybrid center
8/13/2019 Session 04 - GCR 1
22/31
21 September 2013
Change Management
8/13/2019 Session 04 - GCR 1
23/31
21 September 2013
Change Management
Change management procedures ensure that changes
in the IT hardware and software do not negatively
affect the general and application controls.
Definition
Use of a development and programming standards
Proper testing by the users
Up-to-date hard-and software documentation
User involvement in initiating and approving changes
Key
controls
Loss of effectiveness of IT controls Loss of valuable hardware during changes
IT no longer meets the business needs
Keyrisks
8/13/2019 Session 04 - GCR 1
24/31
21 September 2013
FeasibilityStudy
Information Analysis
System Design
Program Development
Procedures and forms
development
Acceptance Test ing
Conversion
Operation &
Maintenance
Integrated Audit Approach with the
Systems Development Life Cycle
8/13/2019 Session 04 - GCR 1
25/31
21 September 2013
Development Test andacceptance
Production
Software libraryRead access for librarian
Read, wri te and
delete access rights
for developers
Use access rights
for developers
and users
Use access rights
for users
Software Change Process
8/13/2019 Session 04 - GCR 1
26/31
21 September 2013
To evaluate the feasibility of the new system using 4criterias
Technical feasibility:
Is the available Technology sufficient to supportthe proposed project? Can the technology beacquired or developed?
Operational feasibility:
Can the input data be collected for the system?Is the output usable?
Economic feasibility:
Do the benefits of the system exceed the cost?
Behavioral feasibility: What impact will the system have on the users
quality of working life?
Preliminary study
8/13/2019 Session 04 - GCR 1
27/31
21 September 2013
Type of Testing
Program Testing
System Testing
User TestingQuality Assurance Testing
8/13/2019 Session 04 - GCR 1
28/31
21 September 2013
Types of question in UAT process
How was the testing process planned? How were test data designed and developed?
What test data were used?
What test results were obtained?
What actions were taken as a result of errors or
deficiencies identified?
What subsequent modifications to test data were
made in light of testing experience?
How was control exercised over test data and
the acceptance testing process?
8/13/2019 Session 04 - GCR 1
29/31
21 September 2013
Question and Answer
8/13/2019 Session 04 - GCR 1
30/31
21 September 2013
Quiz
8/13/2019 Session 04 - GCR 1
31/31
21 September 2013
Thank You
Recommended