1

Pengenalan KonsepPemeriksaan Sistem Informasi

2

Learning Objectives

1. Definition of IS Audit2. Steps in Conducting an Audit3. Due Professional Care4. Management of the IS Audit

Function5. Risk Analysis6. Internal Control7. Performing an IS Audit

3

Definition by Ron Weber

IS Audit is the process of collecting and evaluating

evidence to determine whether computer system

safeguards assets, maintains data integrity, allows

organizational goals to be achieved effectively, and uses

resources efficiently

4

Objectives of IS Auditing

Asset safeguarding

Data integrity

System effectiveness

System efficiency

5

Steps in Conducting an Audit

Planning the audit

Tests of controls

Tests of transactions

Tests of balances of overall results

Completion of the audit

6

Due Professional Care

Attestation and PSAP Standard

ISACA

CObIT

7

Attestation and PSAP Standard Standar Audit Umum, pekerjaan lapangan,

pelaporan

PSA No.57 Audit dalam lingkungan sistem berbasis komputer

PSA No.59 Teknik audit berbantuan komputer

PSA No.63 Lingkungan sistem informasi komputer

PSA No.64 Lingkungan sistem informasi komputer secara online

PSA No.65 Lingkungan sistem informasi komputer dengan sistem database

8

ISACA Audit chapter :

◦ Responsibility, authority, and accountability

Independence◦ Professional independence◦ Organizational relationship

Professional ethics and standards◦ Code of professional ethics◦ Due professional care

Competence◦ Continuing professional education

9

ISACA (cont…) Planning

◦ Audit planning

Performance of audit work◦ Supervision◦ Evidence

Reporting◦ Report content and form

Follow up activities◦ Follow up

10

CObIT GuidelinesControl objectives

Audit guidelines

Management guidelines

We’ll discuss this termlater in Internal Control

learning objectives

11

Management of the IS Audit Function

Organization of the IS Audit

Function

IS Audit Resource Management

Audit Planning

Effect of Laws and Regulations on

IS Audit Planning

12

Organization of the IS Audit FunctionIS audit services can be provided

externally or internally

If internally :◦The role should be established by an

audit charter◦Can be part of internal audit, function

as an independent or integrated group within financial and operational audit

◦The charter should clearly state management’s responsibility, objectives, and authority

Management of the IS Audit Function

13

Organization of the IS Audit FunctionIf externally :

◦The scope and objectives of these services should be documented in a formal contract or statement of work between the contracting organization and the service provider

Should be independent and report to an audit committee, if available, or to the highest management level such as the board of directors

Management of the IS Audit Function

14

IS Audit Resource ManagementMaintain their competency through updates

of existing skills and obtain training directed toward new audit techniques and technological areas

Having the skills and knowledge necessary to perform the auditor's work

Maintain technical competence through appropriate continuing professional education

IS audit management should also provide the necessary IT resources to properly perform IS audits of a highly specialized nature

Management of the IS Audit Function

15

Audit Planning Consists of both short- and long-term planning

Analysis of short- and long-term issues should occur at least annually, for :◦ New control issues; ◦ Changes in the risk environment, technologies

and business processes; and ◦ Enhanced evaluation techniques

The results reviewed by senior audit management and approved by the audit committee, if available, or alternatively by the board of directors and communicated to relevant levels of management.

Management of the IS Audit Function

16

Audit Planning (cont…) Each individual audit assignment must be

adequately planned,

Steps to perform audit planning :◦ Gain an understanding of the business◦ Identify policies, standards and required

guidelines, procedures, and organization structure

◦ Perform a risk analysis◦ Set the audit scope and audit objectives◦ Develop audit strategy◦ Assign personnel resources◦ Address engagement logistics

Management of the IS Audit Function

17

Effect of Laws and Regulations on IS Audit Planning Business regulations can impact the way data

are processed, transmitted and stored

IS auditors should review management's privacy policy to ascertain whether it takes into account the requirements of applicable privacy laws and regulations

Two major areas of concern: ◦ Legal requirements (laws, regulatory and

contractual agreements) placed on audit or IS audit, and

◦ Legal requirements placed on the auditee and its systems, data management, reporting, etc

Management of the IS Audit Function

18

Risk AnalysisRisk analysis is part of audit planning and

help to determine the controls needed to mitigate the risks

Must have knowledge of common business risks, related technology risks and relevant controls.

Must also be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan audit work

19

Risk Analysis (cont…) The risk assessment process :

◦ Identifying business objectives, information assets, and the underlying systems or information resources

◦ Identify threats and determine the probability of occurrence, and the resulting impact and additional safeguards

◦ Identify controls for mitigating identified risks

Cost-benefit analysis :◦ The cost of the control compared to the benefit◦ Management's appetite for risk◦ Preferred risk-reduction methods

20

Risk Analysis (cont…)Purposes of risk analysis from IS auditor’s

perspective :◦Assists the IS auditor in identifying risks

and threats◦Helps the IS auditor in his/her

evaluation of controls in audit planning◦Assists the IS auditor in determining

audit objectives◦Supports risk-based audit decision

making

21

Internal ControlsNormally composed of policies,

procedures, practices and organizational structures which are implemented to reduce risks to the organization

Controls :◦Preventive◦Detective◦Corrective

Already learned inAIS Course

22

Internal Control Objectives Internal accounting controls

◦ Primarily directed at accounting operations such as the safeguarding of assets and the reliability of financial records.

Operational controls◦ Directed at day-to-day operations, functions

and activities to ensure that the operation is meeting the business objectives

Administrative controls◦ Concerned with operational efficiency in a

functional area and adherence to management policies including operational controls

Internal Controls

23

IS Control Objectives (cont…)Ensuring availability of IT services by

developing efficient business continuity (BCP) and disaster recovery plans (DRP)

Enhancing protection of data and systems by developing an incident response plan

Ensuring integrity and reliability of systems by implementing effective change management procedures

Internal Controls

24

IS Control Objectives Safeguarding assets

Ensuring integrity of general operating system (OS) environments

Ensuring integrity of sensitive and critical application system environments

Ensuring appropriate identification and authentication of users of IS resources

Ensuring the efficiency and effectiveness of operations

Internal Controls

25

Control Objectives for Information and Related Technology (CObIT)

Supports IT governance by :◦ Ensure that IT is aligned with the business◦ IT resources are used responsibly◦ IT risks are managed appropriately

4 domains :◦ Plan & Organize identification and strategy

on IT Investment◦ Acquire & Implement integrated realization

on IT planning and application◦ Deliver & Support IT support on business

operation◦ Monitor & Evaluate scheduled evaluation on

IT process

Internal Controls

26

IS Control Procedures

Strategy and direction

General organization and management

Access to IT resources, including data and

programs

Systems development methodologies and

change control

Operations procedures

Systems programming and technical support

functions

Internal Controls

27

IS Control Procedures

Quality assurance (QA) procedures

Physical access controls

Business continuity (BCP)/disaster recovery

planning (DRP)

Networks and communications

Database administration

Protection and detective mechanisms

against internal and external attacks

Internal Controls

28

Performing an IS Audit

Classification of Audits

Audit Programs

Audit Methodology

Audit Risk and Materiality

Risk Assessment and Treatment

Risk Assessment Techniques

Audit Objectives

Compliance VS Substantive Testing

29

Performing an IS Audit

Evidence

Interviewing and Observing Personnel in

Action

Sampling

Computer-Assisted Audit Techniques

Evaluation of Audit Strengths and

Weaknesses

Communicating Audit Results

Management Implementation of

Recommendations

Audit Documentation

30

Assignment for StudentsDescribe and give an example for

each steps on performing an IS audit

You can search internet or other sources for help you

Thank You