1. Audit dan EvaluasiTeknologi Informasi Sesi 2MTI-CIO2012

2. Law of Requisite Variety(Hukum Ragam Persyaratan/Kebutuhan)Ross Ashby 1963: The Law of Requisite Variety when the variety or complexity of the environment exceeds the capacity of a system (natural or artificial) the environment will dominate and ultimately destroy that systemInadequate varietyIf your environment is more sophisticated in terms of complexity thanyour teams available responses then the moves will be simplistic andineffective.Excessive varietyIf however your team has too much structure then it wont be agile or fastenough to react to changes in its environment. 3. Auditing Purpose Is our purpose to issue reports? To raise issues? To make people look bad? To show how smart we are and how dishonest, incompetent, and corruptthe rest of the company is? To flex our muscles and show that we can do anything and tell on anyonebecause we report to the board of directors?(Chris Davis, 2007) 4. Why Audit?IT Today and Tomorrow Information Integrity, Reliability, and Validity: Importance in Todays Global Business Environment E-Commerce and Electronic Funds Transfer Future of Electronic Payment Systems Legal Issues Impacting ITIT Environment Privacy on the Information Superhighway Security, Privacy, and Audit Federal Financial Integrity Legislation Federal Security Legislation 5. Internal AuditingPartnering vs Policing How to build a good relationship An effective internal audit department considers the audit to be a partnership with fellow employees and not a policing function. Adversarial relationships get in the way of the core objective of the audit departmentEstablish Relationships Be intentional about regular updates and meetings with IT management. Establish formal audit liaisons with different IT organizations. Get yourself invited to key meetings. Cultivate an attitude of collaboration and cooperation. 6. Relationships Building and maintaining good relationships with the IT organizationare critical elements of the IT audit teams success. The most effective IT audit teams ensure that every layer of thestack is covered, not just the application layer. Successful IT audit teams generally will consist of a combination ofcareer auditors and IT professionals. It is critical to develop methods for maintaining the technicalexpertise of the IT audit team. A healthy relationship should be developed with external ITauditors. 7. Internal Audit Mission The real mission of the internal audit department is to help improve thestate of internal controls at the company. Internal auditors are not truly independent, but they should be objective. It is important to find ways to accomplish the departments missionoutside formal audits (important tools) Early involvement Informal audits Knowledge sharing Self-assessments 8. Consulting and Early Involvement Early involvement Add more value to the company than by early involvement. Its just like planning an audit. You need to spend time understandingthe system, technology, or process being implemented Informal audits Normal Audit is time consuming, lots of documents and sample Informal audit -> more like consulting Knowledge sharing Common issue, best practices, innovation Self-assessments 9. IT Auditor GoalsEvidence collection and evaluation Competencies Generalist IT Auditing skill, IT management, behavioral knowledge,legal/law/regulation, etc Specific IT areas specialist Network security, database administrator, electronic financial transaction,etcGoals Improvements in Assets safeguarding H/W, S/W, facilities, people, data, documentation, supplies Data integrity System effectiveness System efficiencies 10. Good IT AuditorIT Auditors Ability to dig into technical details without getting lost in those details Analytical skills Communication skills Quick Learner Not busy with a specific technology daily Exposure to a wide variety of technologies Opportunity to work with many levels of management Broad view of the company and other IT groupsIT Professionals people who are subject matter experts on technology but have no experience withauditing Sometimes IT professionals never really "get it." They never really develop theability to perform complex risk assessmentSuccessful IT audit shops have a mixture of these types of auditors 11. Career IT Auditor Generally will have Certified Information Systems Auditor (CISA)and/or Certified Information Systems Security Professional (CISSP)certifications Tend to understand IT in theory, but they usually never have beenresponsible for day-to-day operations of an IT environment Their depth of technical understanding is therefore often fairly light 12. Auditor IndependenceInternal Auditor The bottom line is this: You work for the company and report to itsmanagement; therefore, you are not independent. The most successful audit departments will have at least some peoplewho have rotated into the department from other areas in the company Objective is perhaps a more appropriate word ("not influenced bypersonal feelings or prejudice; unbiased ) Just like quality, internal controls need to be built in up front. Unfortunately, many auditors use independence as an excuse to not addvalue and to not provide opinions. Do not sit in an ivory tower and pretend that theyre not part of things,they should leverage their knowledge of the business Otherwise, just outsource it 13. Internal ControlThe internal audit department is to help improve the state of internal controls at the company Internal Controls mechanisms that ensure the proper functioning of processes within the companyControl Examples Software Change Controls Limit programmer access Testing and approval Access Controls ID and password Backups and Disaster-Recovery Plans Back up regularly Shifting the back up tape off site Disaster recovery plan documents 14. IT Audit ExamplesIT auditing is an integral part of the audit function because it supports theauditors judgment on the quality of the information processed by computersystems Examples of IT auditing Organizational IT audits (management control over IT), Technical IT audits (infrastructure, data centers, data communication), Application IT audit (business/financial/operational), Development/implementation IT audits (specification/requirements,design, development, and post-implementation phases), Compliance IT audits involving national or international standards 15. IT Audit Types and Implementations Preventive controls stop a bad thingfrom happening. A user ID and password, itprevents (theoretically)unauthorized people fromaccessing the system. Detective Controls Record a bad thing after it hashappened (logging) Reactive Controls Systematic way for detectingwhen those bad things havehappened and correcting thesituation Ex: worm is found in the network,shutdown the port 16. IT Auditing Areas Specific Layers Potential IT Auditing Area 17. Auditor Examples Information systems auditors Focus on Application Layer Access is properly controlled Integrity of data being entered Support for the financial auditors Experts at data extraction Example: a list of all invoices greater than 90 days past due IT auditors seems to be the most thorough and effective because it ensures thatall layers are being covered and that they are being covered by thepeople with the highest level of subject matter knowledge. 18. Potential Ranks Business Applications Regulatory Compliance Methodology for ranking those potential audits 19. Audit Stages Planning The goal: determine objective and scope Basic sources Preliminary survey Customer requests Standard checklists (see books) Research (Internet, library, etc) Fieldwork and Documentation the acquiring data and performing interviews that will help team members to analyze the potential risks and determine which risks have not been mitigated appropriately Heres what I did, heres what I found, heres my conclusion, and heres why I reached that conclusion. Tedious but necessary Issue Discovery and Validation List of concern Validate with customer early 20. Audit Stages (cont) Solution Development Just raising the issues does your company no good unless those issues areactually addressed Common approach for addressing audit issues: The recommendation approach The management-response approach The solution approach Report Drafting and Issuance For you and the audit customers, it serves as a record of the audit, its results,and the resulting action plans. For senior management and the audit committee, it serves as a "report card"on the area that was audited. Issue Tracking The audit department must develop a process whereby its members are ableto track and follow up on issues until they are resolved 21. Planning, Fieldwork, Documentation, Validation Some basic sources that should be referenced as part of each auditsplanning process: Handoff from the audit manager Preliminary survey Customer requests Standard checklists Research. During fieldwork and documentation: Ways to independently validate the information given Effectiveness of the control environment If you work with your customers throughout the audit to validate issuesand come to agreement on the risks those issues represent, then theconclusion of the audit will go much more smoothly and quickly. 22. Approaches, Reporting, Resolution Three common approaches for developing and assigning action items foraddressing audit issues: Recommendation approach Management-response approach Solution approach. The essential elements of an audit report: Statement of the audit scope List of issues along with action plans for resolving them Executive summary. The audit is not truly complete until the issues raised in the audit areresolved