Upload
geniusblue
View
33
Download
1
Tags:
Embed Size (px)
Citation preview
1
Pengenalan KonsepPemeriksaan Sistem Informasi
2
Learning Objectives
1. Definition of IS Audit2. Steps in Conducting an Audit3. Due Professional Care4. Management of the IS Audit
Function5. Risk Analysis6. Internal Control7. Performing an IS Audit
3
Definition by Ron Weber
IS Audit is the process of collecting and evaluating
evidence to determine whether computer system
safeguards assets, maintains data integrity, allows
organizational goals to be achieved effectively, and uses
resources efficiently
4
Objectives of IS Auditing
Asset safeguarding
Data integrity
System effectiveness
System efficiency
5
Steps in Conducting an Audit
Planning the audit
Tests of controls
Tests of transactions
Tests of balances of overall results
Completion of the audit
6
Due Professional Care
Attestation and PSAP Standard
ISACA
CObIT
7
Attestation and PSAP Standard Standar Audit Umum, pekerjaan lapangan,
pelaporan
PSA No.57 Audit dalam lingkungan sistem berbasis komputer
PSA No.59 Teknik audit berbantuan komputer
PSA No.63 Lingkungan sistem informasi komputer
PSA No.64 Lingkungan sistem informasi komputer secara online
PSA No.65 Lingkungan sistem informasi komputer dengan sistem database
8
ISACA Audit chapter :
◦ Responsibility, authority, and accountability
Independence◦ Professional independence◦ Organizational relationship
Professional ethics and standards◦ Code of professional ethics◦ Due professional care
Competence◦ Continuing professional education
9
ISACA (cont…) Planning
◦ Audit planning
Performance of audit work◦ Supervision◦ Evidence
Reporting◦ Report content and form
Follow up activities◦ Follow up
10
CObIT GuidelinesControl objectives
Audit guidelines
Management guidelines
We’ll discuss this termlater in Internal Control
learning objectives
11
Management of the IS Audit Function
Organization of the IS Audit
Function
IS Audit Resource Management
Audit Planning
Effect of Laws and Regulations on
IS Audit Planning
12
Organization of the IS Audit FunctionIS audit services can be provided
externally or internally
If internally :◦The role should be established by an
audit charter◦Can be part of internal audit, function
as an independent or integrated group within financial and operational audit
◦The charter should clearly state management’s responsibility, objectives, and authority
Management of the IS Audit Function
13
Organization of the IS Audit FunctionIf externally :
◦The scope and objectives of these services should be documented in a formal contract or statement of work between the contracting organization and the service provider
Should be independent and report to an audit committee, if available, or to the highest management level such as the board of directors
Management of the IS Audit Function
14
IS Audit Resource ManagementMaintain their competency through updates
of existing skills and obtain training directed toward new audit techniques and technological areas
Having the skills and knowledge necessary to perform the auditor's work
Maintain technical competence through appropriate continuing professional education
IS audit management should also provide the necessary IT resources to properly perform IS audits of a highly specialized nature
Management of the IS Audit Function
15
Audit Planning Consists of both short- and long-term planning
Analysis of short- and long-term issues should occur at least annually, for :◦ New control issues; ◦ Changes in the risk environment, technologies
and business processes; and ◦ Enhanced evaluation techniques
The results reviewed by senior audit management and approved by the audit committee, if available, or alternatively by the board of directors and communicated to relevant levels of management.
Management of the IS Audit Function
16
Audit Planning (cont…) Each individual audit assignment must be
adequately planned,
Steps to perform audit planning :◦ Gain an understanding of the business◦ Identify policies, standards and required
guidelines, procedures, and organization structure
◦ Perform a risk analysis◦ Set the audit scope and audit objectives◦ Develop audit strategy◦ Assign personnel resources◦ Address engagement logistics
Management of the IS Audit Function
17
Effect of Laws and Regulations on IS Audit Planning Business regulations can impact the way data
are processed, transmitted and stored
IS auditors should review management's privacy policy to ascertain whether it takes into account the requirements of applicable privacy laws and regulations
Two major areas of concern: ◦ Legal requirements (laws, regulatory and
contractual agreements) placed on audit or IS audit, and
◦ Legal requirements placed on the auditee and its systems, data management, reporting, etc
Management of the IS Audit Function
18
Risk AnalysisRisk analysis is part of audit planning and
help to determine the controls needed to mitigate the risks
Must have knowledge of common business risks, related technology risks and relevant controls.
Must also be able to evaluate the risk assessment and management techniques used by business managers, and to make assessments of risk to help focus and plan audit work
19
Risk Analysis (cont…) The risk assessment process :
◦ Identifying business objectives, information assets, and the underlying systems or information resources
◦ Identify threats and determine the probability of occurrence, and the resulting impact and additional safeguards
◦ Identify controls for mitigating identified risks
Cost-benefit analysis :◦ The cost of the control compared to the benefit◦ Management's appetite for risk◦ Preferred risk-reduction methods
20
Risk Analysis (cont…)Purposes of risk analysis from IS auditor’s
perspective :◦Assists the IS auditor in identifying risks
and threats◦Helps the IS auditor in his/her
evaluation of controls in audit planning◦Assists the IS auditor in determining
audit objectives◦Supports risk-based audit decision
making
21
Internal ControlsNormally composed of policies,
procedures, practices and organizational structures which are implemented to reduce risks to the organization
Controls :◦Preventive◦Detective◦Corrective
Already learned inAIS Course
22
Internal Control Objectives Internal accounting controls
◦ Primarily directed at accounting operations such as the safeguarding of assets and the reliability of financial records.
Operational controls◦ Directed at day-to-day operations, functions
and activities to ensure that the operation is meeting the business objectives
Administrative controls◦ Concerned with operational efficiency in a
functional area and adherence to management policies including operational controls
Internal Controls
23
IS Control Objectives (cont…)Ensuring availability of IT services by
developing efficient business continuity (BCP) and disaster recovery plans (DRP)
Enhancing protection of data and systems by developing an incident response plan
Ensuring integrity and reliability of systems by implementing effective change management procedures
Internal Controls
24
IS Control Objectives Safeguarding assets
Ensuring integrity of general operating system (OS) environments
Ensuring integrity of sensitive and critical application system environments
Ensuring appropriate identification and authentication of users of IS resources
Ensuring the efficiency and effectiveness of operations
Internal Controls
25
Control Objectives for Information and Related Technology (CObIT)
Supports IT governance by :◦ Ensure that IT is aligned with the business◦ IT resources are used responsibly◦ IT risks are managed appropriately
4 domains :◦ Plan & Organize identification and strategy
on IT Investment◦ Acquire & Implement integrated realization
on IT planning and application◦ Deliver & Support IT support on business
operation◦ Monitor & Evaluate scheduled evaluation on
IT process
Internal Controls
26
IS Control Procedures
Strategy and direction
General organization and management
Access to IT resources, including data and
programs
Systems development methodologies and
change control
Operations procedures
Systems programming and technical support
functions
Internal Controls
27
IS Control Procedures
Quality assurance (QA) procedures
Physical access controls
Business continuity (BCP)/disaster recovery
planning (DRP)
Networks and communications
Database administration
Protection and detective mechanisms
against internal and external attacks
Internal Controls
28
Performing an IS Audit
Classification of Audits
Audit Programs
Audit Methodology
Audit Risk and Materiality
Risk Assessment and Treatment
Risk Assessment Techniques
Audit Objectives
Compliance VS Substantive Testing
29
Performing an IS Audit
Evidence
Interviewing and Observing Personnel in
Action
Sampling
Computer-Assisted Audit Techniques
Evaluation of Audit Strengths and
Weaknesses
Communicating Audit Results
Management Implementation of
Recommendations
Audit Documentation
30
Assignment for StudentsDescribe and give an example for
each steps on performing an IS audit
You can search internet or other sources for help you
Thank You