Embed Size (px)
Citation preview
Audit Objective
and Audit
Procedures-
General Controls
Example: Ping IP
Sumber: ITGI, COBIT 4.1, 2007
IT General Control v.s. IT Application Control
CPA Review, Wiley, 2013
IT Control and Audit, Sandra and Frederick, 2009
IT Audit, James A. Hall, 2011
IT Audit Process
•Effectiveness•Efficiency•Confidentiality•Integrity•Availability•Compliance•Reliability
•Applications•Information•Infrastructure•People
Scope of Information System AuditBUSINESS OBJECTIVES
GOVERNANCE OBJECTIVES
INFORMATION CRITERIA
PLAN AND ORGANIZE
ACQUIRE AND IMPLEMENT
DELIVERY AND SUPPORT
MONITOR AND EVALUATE
IT RESOURCES
.
Scope of IAS
Overview – Auditing Control
Auditing IT Control (General and Application)
Audit Objective
To Asses the Adequacy
To Asses the Effectiveness
Is there Desain/ / SOP
Is the Desain/ SOP adequate?
Is the Desain/SOP implemented?
Is the implement-ion effective?
- Understand IC Framework and Desain / SOP
-Obeserve, interview, test whether SOP is communicated and implemented
-Use attributes statistics
-Assess mgt’s monitoring and measurement
- Mitigate Risk,- Conform w/, standard
/best practice.- Flowchart n’ narative- Strength and weak.- Commit/communicate
When identifying risks, auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed.
Assess Risk
10-K
F/S
Financial Statements AssertionF/S Accounts mapped to processes;
Processes mapped BUs
Non Financial Disclosures mapped to processes
Revenue and
Receivables
Purchases and
Payables
Mgt and Financial
Reporting/Accounting
Payroll and
BenefitsTreasury Legal
Compliance
Manufacturing
Investor Relation
Environmental
BU 1BU 2BU 3
BU 1BU 2BU 3
Corporate
Corporate
Corporate
Risk Identification and AnalysisRisk Assessment Documents:•Risk analysis matrix by F/S Accounts and Disclosures•Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology
Prepare Risk Control Matrix
(Manual and Automated)
Define Risk Assessment
for IT-GC dan
IT-AC
See Risk Assessment Approach in the Following Section
Example: Financial Statement Risk Analysis Approach
Example Application Control: Risk Assessment Approach
Risk Factor Weighting20 10 10 10 10 10 15 15 100
Process Logical Access Risk
Physical Risk
Financial Impact
Supports to Application
Risk ... Risk ... Risk ... Risk ... Composite scores
IT Govern-
ance
5 1 5 5 3 3 5 2 375
Data Center
1 1 2 1 1 1 4 2 170
BC & DRP
5 2 2 1 5 5 5 2 245
.... 5 3 5 1 5 5 5 2 395
... 5 1 1 1 1 1 3 2 225
Composite scores = ∑ (risk factor weight x risk scale) and adding the totals.
The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…].
For this example, the auditor may determine that the general control review will include all process with a score > 200.
NO. PROSEDUR √/Х KKAREF
PIC
Tujuan Audit (IT Governance= 7 kriteria informasi):To verify that the structure of the IT function is in accordance with the level of potential risk and in a manner that promotes a working environment. Audit Procedures
1 Review doc, including current org chart and job desc for key function, to determine if individual/group are performing incompatible func. Assess the adequacy of the structure of IT organization. Verify that maintenance programmers assigned to specific projects
are not also the original design programmers. Verify that computer operators do not have access to the
operational details of a system’s internal logic. Through observe, determine that segregation policy is followed.
2 Evaluasi hasil pengukuran Key Goal Indicator, terutama mengenai: Percent of critical IT objectives covered by risk assessment Percent of IT personnel certified according to job needs
3 Buat Simpulan Audit
Contoh Audit Program – General Control
NO. PROSEDUR √/Х KKAREF
PIC
Tujuan Audit (IT Services):Pengelolaan Layanan dan Kualitas Layanan telah sesuai dengan service level management (SLM) Framework dan Service Level Agreement (SLA).
1 Dapatkan dan pelajari daftar layanan (service catalogue) ICT, service level management (SLM) Framework, SLA, dan Operating Level Agreement (OLA), beserta service-level metrics masing-masing layanan. Layanan TI, antara lain: Sitem keamanan TI. Help Desk. Database administrator. System change.Lakukan wawancara dengan ICT Division untuk mendapatkan pemahaman mengenai Pengelolaan Layanan dan Kualitas Layanan.
2 a. Dapatkan dan pelajari SOP dan WI, serta job description proses Layanan TI, yang akan digunakan sebagai acuan/standar dalam penilaian kinerja ICT.
b. Evaluasi apakah SOP, dan WI, serta job description fungsi TI telah secara jelas diuraikan dan dikomunikasikan kepada seluruh staf TI.
Contoh Audit Program – General Control
3 SLA dan OLA (= untuk level operational)a. Periksa apakah SLA dan OLA telah didefinisikan secara jelas. Misal:
SLA waktu respon dihitung mulai keluhan terjadi atau saat laporan keluhan diterima oleh Help Desk.
b. Uji kecukupan transparansi / publikasi SLA dan OLA. Misal: SLA dan OLA telah dapat diakses oleh seluruh user.
4 SLA dan OLA Up-datea. Periksa apakah ICT Division telah melakukan reviu secara periodik atas
SLA dan OLA untuk menilai apakah SLA dan OLA up-to-date terhadap perubahan lingkungan internal dan eksternal.
b. Periksa apakah setiap keluhan/ request user telah direspon secara tepat dan cepat oleh ICT Division.
5 Lakukan pengujian terhadap performance Sistem TI:a. Load testing: Misal: semua user diminta melakukan operasi sistem TI
secara serentak).b. Throughput testing: Misal: untuk real-time sistem, cek apakah output
diproses segera setelah input.c. Security testing: Misal: Lakukan pengujian apakah sistem dapat
mendeteksi virus yang sengaja dimasukan. Atau, minta security tim untuk melakukan hack, perhatikan apakah sistem dapat menangkal hack tsb.
6 Lakukan observasi atas pelaksanaan layanan TI. Misal: saat keluhan user masuk ke bagian Help Desk, auditor mengamati respon terhadap keluhan tersebut lalu bandingkan dengan SOP.
NO. PROSEDU
R
√/Х KKAREFPIC
7 Monitor dan Reporting Service Level. a. Periksa apakah ICT Division memiliki mekanisme dan melakukan
memonitor SLA dan OLA secara kontinyu dan berkala.
8 Evaluasi apakah Key Goal Indicator telah mencakup seluruh process goal yang ditetapkan.Dapatkan dan pelajari hasil pengukuran Key Goal Indicator oleh Group TI terkait Pengelolaan Layanan dan Kualitas Layanan, termasuk ukuran: Jumlah layanan TIK yang tidak tercantum dalam katalog layanan. Jumlah layanan TIK yang tidak disertai dengan service levelnya. % service level yang diukur. % service level yang memenuhi batas service level minimum.
9 Evaluasi hasil pengukuran Key Goal Indicator, terutama mengenai: Kelayakan metode pengumpulan data. Validitas data. Deviasi antara target dan aktual. Kelayakan action plan dari management terkait deviasi yang
unfavorable.10 Lakukan wawancara dengan ICT Division. 11 Buat simpulan audit.
NO. PROSEDU
R
√/Х KKAREFPIC
Tujuan Audit: (Example: Data Center)Untuk menilai Pengelolaan Keamanan, Konfigurasi, Insiden dan Problem telah dilaksanakan secara cukup dan efektif, mencakup proses perencanaan, pengembangan, operasional, dan juga mencakup data dan informasi, aplikasi, maupun infrastruktur.
Logic controls, a. Periksa apakah terdapat SOP bahwa:
a) Untuk log-in ke dalam sistem memerlukan ID dan password.b) Karakter password harus minimal terdiri dari 6 karakter dan harus
merupakan kombinasi antar numerik dan alphabet. b. Uji apakah untuk log-in ke dalam sistem memerlukan ID dan password.c. Uji apakah karakter password harus minimal terdiri dari 6 karakter dan
harus merupakan kombinasi antar numerik dan alphabet. Physical controls:a) Observasi apakah ruangan penyimpanan fisik telah memiliki kunci
akses berupa kunci konvensional, electronic access lock, cipher lock, atau biometric lock.
b) Periksa apakah setiap personel yang masuk ke dalam ruangan Sistem TI telah dicatat ID, hari, jam.
c) Dapatkan Access Control List, dan bandingkan dengan catatan personil yang masuk ke dalam ruangan Sistem TI.
NO. PROSEDU
R
√/Х KKAREFPIC
Example: ITGC - Data Center Access Log
Tujuan Audit:Untuk menilai Pengelolaan Keamanan, Konfigurasi, Insiden dan Problem telah dilaksanakan secara cukup dan efektif, mencakup proses perencanaan, pengembangan, operasional, dan juga mencakup data dan informasi, aplikasi, maupun infrastruktur.
Physical controls:b) Observasi apakah ruangan telah dilengkapi dengan personil keamanan
dan video surveillance cameras (CCTV).c) Observasi apakah prosedur darurat telah ditempelkan di ruangan.d) Nilai kecukupan fasilitas sistem ventilasi, pendingin, dan anti
/penanganan kebakaran dalam ruangan fisik sistem TI.e) Uji apakah ruangan dapat dimasuki oleh pihak yang tidak terotorisasi,
dengan mencoba memasuki area fisik, dengan identitas orang lain atau melalui ventilasi udara.
f) Uji apakah sistem ventilasi, AC,dan pemadam kebakaran telah beroperasi seperti yang ditentukan.
g) Uji apakah ruangan telah dilengkapi dengan cadangan listrik dan UPS yang cukup.
NO. PROSEDU
R
√/Х KKAREFPIC
Example: Room Monitoring
Example: Fire Alarm System Test Report
Example: Fire Resistance
Certificate
NO. PROSEDUR √/Х KKAREF
PIC
Tujuan Audit:To verify the security and integrity of fin trans by determining that network controls (1) can prevent and detect illegal access, (2) will render useless any data that a perpetrator successfully captures, and (3) are sufficient to preserve the integrity and physical security of data connected to the network.Audit Procedures Relating to Subversive Threats
1 Review the adequacy of the firewall in achieving the proper balance between control and convenience based on the org’s business objectives and potential risks.Criteria for assessing the firewall effectiveness include:Flexibility. The firewall should be flexible enough to accommodate
new services as the security needs of the organization change.Proxy services: to provide explicit user authentication to sensitive
services, applications, and data.Filtering: to deny all services that are not explicitly permitted. Segregation of systems: Systems that do not require public access
should be segregated from the Internet.Audit tools.:The firewall should provide a thorough set of audit and
logging tools that identify and record suspicious activity.Probe for weaknesses. Auditor should periodically probe the
firewall for weaknesses just as a computer Internet hacker would do.
DDOS attack
Application Access Denid
Suspicious Behaviour
Date and Time
Severity Risk
Reporter
Example: Input Activity Log - Firewall
NO. PROSEDUR √/Х KKAREF
PIC
2 Verify that an intrusion prevention system (IPS) with deep packet inspection (DPI) is in place for organizations that are vulnerable to DDos attacks, such as financial institutions.
3 Review security procedures governing the administration of data encryption keys.
4 Verify the encryption process by transmitting a test message and examining the contents at various points along the channel between the sending and receiving locations.
5 Review the message transaction logs to verify that all messages were received in their proper sequence.
6 Test the operation of the call-back feature by placing an unauthorized call from outside the installation.
Informasi Lebih Lanjut,Hubungi:
