Control and Audit of Information System

Hendri Eka Saputra

Summary of Internal Control DefinitionA process, effected by the entity’s board of directors,management, and other personnel, designed to providereasonable assurance regarding, achievement of (the entity’s)objectives on:

•Effectiveness and efficiency of operations

•Reliability of financial reporting

•Compliance with applicable laws and regulations

Control ObjectivesIn each area of internal control (financial reporting, operations andcompliance)• Control objectives and

• Subobjectives exist

Example: Area of financial reporting• Top level objective – prepare and issue reliable financial information

• Detailed level applied to A/R subobjectives

All goods shipped are accurately billed in the proper period

Invoices are accurately recorded for all authorized shipments and only for such shipments

Authorized and only authorized sales returns and allowances are accurately recorded

The continued completeness and accuracy of A/R is ensured

Accounts receivable records are safeguarded

Foreign Corrupt Practices ActPassed in 1977 in response to American corporationpractice of paying bribes and kickbacks to officials inforeign countries to obtain business

The Act• Requires an effective system of internal control

• Makes illegal payment of bribes to foreign officials

Controls over Financial ReportingPreventive

• Aimed at avoiding the occurrence of misstatements in the financial statements

• Example: Segregation of duties

Detective

• Designed to discover misstatements after they have occurred

• Example: Monthly bank reconciliations

Corrective

• Needed to remedy the situation uncovered by detective controls

• Example: Backups of master file

Controls overlap

• Complementary – function together

• Redundant – address same assertion or control objective

• Compensating – reduces risk existing weakness will result in misstatement

Components of Internal Control The Control Environment

Risk Assessment

The Accounting Information and Communication System

Control Activities

Monitoring

Control Environment Factors Integrity and ethical values

Commitment to competence

Board of directors or audit committee

Management philosophy and operating style

Organizational structure

Human resource policies and practices

Assignment of authority and responsibility

Risk Assessment--Factors Indicativeof Increased Financial ReportingRisk

Changes in the regulatory or operating environment

Changes in personnel

Implementation of a new or modified information system

Rapid growth of the organization

Changes in technology affecting production processes or informationsystems

Introduction of new lines of business, products, or processes

Control ActivitiesPerformance reviews

Information processing

• General control activities

• Application control activities

Physical controls

Segregation of duties

• Segregate authorization, recording and custody of assets

Segregation of Duties

Objectives of an Accounting System Identify and record valid transactions

Describe on a timely basis the transactions in sufficient detail to permit properclassification of transactions

Measure the value of transactions appropriately

Determine the time period in which the transactions occurred to permitrecording in the proper period

Present properly the transactions and related disclosures in the financialstatements

MonitoringOngoing monitoring activities

•Regularly performed supervisory and management activities

•Example: Continuous monitoring of customer complaints

Separate evaluations

•Performed on nonroutine basis

•Example: Periodic audits by internal audit

Limitations of Internal Control Errors may arise from misunderstandings of instructions, mistakes ofjudgment, fatigue, etc.

Controls that depend on the segregation of duties may be circumventedby collusion

Management may override the structure

Compliance may deteriorate over time

Enterprise Risk Management (ERM) COSO issued a new internal control framework in 2004 on enterprise riskmanagement. It does not replace the original COSO internal control framework.

It goes beyond internal control to focus on how organizations can effectively managerisks and opportunities.

The auditing standards are still structured around the original COSO internal controlframework.

Financial Statement Audits: The Role of Internal Control

Second Field Work Standard

The auditor must obtain a sufficient understanding of the entity and its environment,including its internal control, to assess the risk of material misstatement of the financialstatements whether due to error or fraud, and to design the nature, timing, and extentof further audit procedures. [emphasis added]

Auditors’ Overall Approach with Internal Control Overall approach of an audit

1. Plan the audit

2. Obtain an understanding of the client and its environment, includinginternal control

3. Assess the risks of material misstatement and design further auditprocedures

4. Perform further audit procedures

5. Complete the audit

6. Form an opinion and issue the audit report

Steps 2-4 relate most directly to the role of internal control infinancial statement audits

COBIT 5

For information security

Information! Information is a key resource for all enterprises.

Information is created, used, retained, disclosed and destroyed.

Technology plays a key role in these actions.

Technology is becoming pervasive in all aspects of business andpersonal life.

What benefits do information and technology bring toenterprises?

Enterprise BenefitsEnterprises and their executives strive to:

Maintain quality information to support business decisions.

Generate business value from IT-enabled investments, i.e., achieve strategic goals andrealise business benefits through effective and innovative use of IT.

Achieve operational excellence through reliable and efficient application of technology.

Maintain IT-related risk at an acceptable level.

Optimise the cost of IT services and technology.

Stakeholder ValueDelivering enterprise stakeholder value requires good governance and managementof information and technology (IT) assets.Enterprise boards, executives and management have to embrace IT like any othersignificant part of the business.

External legal, regulatory and contractual compliance requirements related toenterprise use of information and technology are increasing, threatening value ifbreached.

COBIT 5 provides a comprehensive framework that assists enterprises toachieve their goals and deliver value through effective governance andmanagement of enterprise IT.

The COBIT 5 FrameworkSimply stated, COBIT 5 helps enterprises create optimal value from IT by maintaining abalance between realising benefits and optimising risk levels and resource use.

COBIT 5 enables information and related technology to be governed and managed in aholistic manner for the entire enterprise, taking in the full end-to-end business andfunctional areas of responsibility, considering the IT-related interests of internal andexternal stakeholders.

The COBIT 5 principles and enablers are generic and useful for enterprises of allsizes, whether commercial, not-for-profit or in the public sector.

COBIT 5 Principles

COBIT 5 Enablers

Governance and ManagementGovernance ensures that stakeholder needs, conditions and options are evaluated todetermine balance, agreed-on enterprise objectives to be achieved; setting directionthrough prioritisation and decision making; and monitoring performance, complianceand compliance against agreed-on direction and objectives (EDM).

Management plans, builds, runs and monitors activities in alignment with thedirection set by the governance body to achieve the enterprise objectives (PBRM).

Summary…COBIT 5 brings together the five principles that allow the enterprise to build aneffective governance and management framework based on a holistic set of sevenenablers that optimises information and technology investment and use for thebenefit of stakeholders.

COBIT 5 Product Family

COBIT 5 for InformationSecurity Extended view of COBIT5

Explains each component from info security perspective

it contain! Guidance on drivers, benefits

Principles from infosec perspective

Enablers for support

Alignment with standards

DriversThe major drivers for the development of COBIT 5 for Information Securityinclude:

1. The need to describe information security in an enterprise context

2. An increasing need for enterprises to:

• Keep risk at acceptable levels.

• Maintain availability to systems and services.

• Comply with relevant laws and regulation.

3. The need to connect to and align with other major standards and frameworks

4. The need to link together all major ISACA research, frameworks and guidance

BenefitsUsing COBIT 5 for Information Security can result in a number of benefits,including:• Reduced complexity and increased cost-effectiveness due to improved and easier integration of

information security standards

• Increased user satisfaction with information security arrangements and outcomes

• Improved integration of information security in the enterprise

• Informed risk decisions and risk awareness

• Improved prevention, detection and recovery

• Reduced impact of security incidents

• Enhanced support for innovation and competitiveness

• Improved management of costs related to the information security function

• Better understanding of information security

Information Security DefinedISACA defines information security as something that:

Ensures that within the enterprise, information is protectedagainst disclosure to unauthorized users (confidentiality),improper modification (integrity) and non-access whenrequired (availability).

Using COBIT 5 Enablers for Implementing Information Security

COBIT 5 for Information Security provides specific guidance related to all enablers

1. Information security policies, principles, and frameworks

2. Processes, including information security-specific details and activities

3. Information security-specific organisational structures

4. In terms of culture, ethics and behaviour, factors determining the success ofinformation security governance and management

5. Information security-specific information types

6. Service capabilities required to provide information security functions to an enterprise

7. People, skills and competencies specific for information security

Enabler: Principles, Policies and FrameworksPrinciples, policies and frameworks refer to the communicationmechanisms put in place to convey the direction and instructions ofthe governing bodies and management, including:

• Principles, policies and framework model

• Information security principles

• Information security policies

• Adapting policies to the enterprises environment

• Policy life cycle

Enabler: Principles, Policies and Frameworks (cont.)

Information Security Principles

Information Security Policy

Specific Information Security Policies

Information Security Procedures

Information Security Requirements and Documentation

Generic Information Security Standards, Frameworks and Models

Mandatory Information Security Standards, Frameworks and Models

InputPolicy Framework

Information Security PrinciplesInformation security principles communicate the rules of the enterprise. These principlesneed to be:

• Limited in number

• Expressed in simple language

In 2010 ISACA, ISF and ISC2 worked together to create 12 principles* that will helpinformation security professionals add value to their organisations. The principles support 3tasks:

• Support the business.

•Defend the business.

•Promote responsible information security behaviour.

* Principles are covered in COBIT 5 for Information Security and can also be located atwww.isaca.org/standards

Information Security PoliciesPolicies provide more detailed guidance on how to put principles into practice. Someenterprises may include policies such as:• Information security policy

• Access control policy

• Personnel information security policy

• Incident management policy

• Asset management policy

COBIT 5 for Information Security describes the following attributes of each policy:• Scope

• Validity

• Goals

Enabler: ProcessesThe COBIT 5 process reference model subdivides the IT-related practicesand activities of the enterprise into two main areas—governance andmanagement—with management further divided into domains ofprocesses:

• The Governance domain contains five governance processes; withineach process, evaluate, direct and monitor (EDM) practices aredefined.

• The four Management domains are in line with the responsibility areasof plan, build, run and monitor (PBRM).

• COBIT 5 for Information Security examines each of the processes froman information security perspective.

Enabler: Organisational StructuresCOBIT 5 examines the organisational structures model from aninformation security perspective. It defines information security roles andstructures and also examines accountability over information security,providing examples of specific roles and structures and what theirmandate is, and also looks at potential paths for information securityreporting and the different advantages and disadvantages of eachpossibility.

Enabler: Culture, Ethics and Behaviour

Examines the culture, ethics and behaviour model from an information security perspective providingdetailed security specific examples of:

1. The Culture Life Cycle –measuring behaviours over time to benchmark the security culture –somebehaviours may include:• Strength of passwords• Lack of approach to security• Adherence to change management practices

2. Leadership and Champions –need these people to set examples and help influence culture:• Risk managers• Security professionals• C-level executives

3. Desirable Behaviour –a number of behaviours have been identified that will help positively influencesecurity culture:• Information security is practiced in daily operations.• Stakeholders are aware of how to respond to threats.• Executive management recognises the business value of security.

Enabler: InformationInformation is not only the main subject of information security but isalso a key enabler.

1. Information types are examined and reveal types of relevant security information whichcan include:

• Information security strategy• Information security budget• Policies• Awareness material• Etc.

2. Information stakeholders as well as the information life cycle are also identified anddetailed from a security perspective. Details specific to security such as informationstorage, sharing, use and disposal are all discussed.

Enabler: Services, Infrastructure and Applications

The services, infrastructure and applications model identifies the servicescapabilities that are required to provide information security and relatedfunctions to an enterprise. The following list contains examples of potentialsecurity-related services that could appear in a security service catalogue:• Provide a security architecture.

• Provide security awareness.

• Provide security assessments.

• Provide adequate incident response.

• Provide adequate protection against malware, external attacks and intrusionattempts.

• Provide monitoring and alert services for security related events.

Enabler: People, Skills and Competencies

To effectively operate an information security function within an enterprise, individualswith appropriate knowledge and experience must exercise that function. Some typicalsecurity-related skills and competencies listed are:• Information security governance

• Information risk management

• Information security operations

COBIT 5 for Information Security defines the following attributes for each of the skillsand competencies:• Skill definition

• Goals

• Related enablers

Thank You