Information Technology Risk and Controls

Information System Audit Course

Agenda
1. 2. 3. 4. Introduction to Information System Auditing Introduction to the Basis of IT-related Business Risks and Controls Integration of Financial Audit and IS Audit Application of IS Audit and Web Trust

Backgrounds
1. Return on Investment & IT Business risks
Significant portion of Companys investment in Information Technology
Companies implement new system (ERP, e-Commerce) or significant modification (changed business requirements) Will the business requirement be met by IT solutions ? Return on Investment ?

Computer/EDP related errors and irregularities

Incorrect processing/calculation, e.g. Billing systems, Phone banking, Internet banking, etc. Discontinuity of IT function due to disaster, viruses etc.. Computer Fraud

Backgrounds (contd)
2. Complex system & Assurance needs
Highly integrated-computerized processing of business transactions
Needs to have certain level of understanding and assurance of complex accounting transactions processing system.

Introduction of new advanced technology

e-Commerce, EDI (Electronic Data Interchange) SWIFT

Audit evidence: electronic and hardcopy evidence

Use of password for authorization No print-out of transaction listing

Backgrounds (contd)
3. Quality and Career
Maintain individual competitiveness (globalization) Focus and specialization in managing IT risk and audit

4. Audit Requirements
For External Auditor
SA Seksi 314 Risk Assessment and internal control - consideration and EDP characteristics SA Seksi 335 Auditing in EDP environment

For Internal Auditor

SPFAIB for Banking Industry

Definition: Information Systems Auditing

The process of collecting and evaluating evidence to determine whether a Computer Systems (Information Systems) safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently. (Ron Webber)

IS Audit Objectives
Asset Safeguarding
The assets of a computer installation include hardware, software, people, data files, system documentation, and supplies must be protected by system of internal control.

Data Integrity
Data integrity is a fundamental concept in IS auditing. It is a state implying data has certain attributes: completeness, soundness, purity, veracity.

System Effectiveness and Efficiency

Evaluating effectiveness implies knowledge of user needs. An efficient data processing system uses minimum resources to achieve its required output.

Information System Auditor vs Financial/Internal Auditor

Matters Standards Information System Auditor General Accepted IT Controls Principle (COBiT) IT Division Financial/Internal Auditor GAAP/SAS 78: Internal Control Mostly Finance & Accounting Dept/All Functions of Organization AICPA/IIA

Auditee

Professional Organization Qualification Career Objectives

ISACA

CISA Chief Information Officer, Consultants: Auditor/Advisor for Information Systems/Technology Control

CPA/CIA Chief Financial Officer, Head of Internal Audit Division

ISACA Information Systems Audit and Control Association

Information Systems Audit and Control Association (ISACA) is a recognized global leader in IT governance, control and assurance. ISACA sponsors international conferences, administers the globally respected CISA Founded in 1969, Now more than 110,000 constituents in over 180 countries, Its members include internal and external auditors, CEOs, CFOs, CIOs, educators, information security and control professionals, business managers, students, and IT consultants Develops globally-applicable Information Systems (IS) Auditing and Control Standards. Certify professionals with CISA (Certified Information Systems Auditor) More than 103,000 have earned the CISA designation since its inception in 1978.

Information Technology Risk and Controls

Information System Audit Course

Agenda
1. 2. 3. 4. Introduction to Information System Auditing Introduction to the Basis of IT-related Business Risks and Controls Integration of Financial Audit and IS Audit Application of IS Audit and Web Trust

Specific Industry Application

Banking (Internet and Mobile banking) Insurance (Agency Systems) Telecommunication (Billing systems) Oil and Gas (Purchasing and Inventory systems) Manufacturing (Product costing) Retail (Point Of sales)

Non Specific Industry Application

Reporting Systems Call Center Enterprise Resource Planning Office Automation Cloud Computing

The Need for Control and IS Audit

Your business processes depend on the computer applications and data that support them - so you need to be sure that your data and systems are secure. Yet, all the time, rapid changes in business and technology keep increasing your organization's control and security challenges - and reducing your reaction time.
Source: Ernst & Young website www.ey.com

IT Business Risk
Although technology provides opportunities for growth and development, it also represents threats, such as disruption, deception, theft, and fraud. Research shows that outside attackers threaten organizations, yet trusted insiders are a far greater threat.

IT controls are essential to protect assets, customers, partners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. In todays global market and regulatory environment, these things are too easy to lose.

Information Security Risk

Unauthorized disclosure theft

Information

Unauthorized Use

Confidentiality

Integrity Availability

Unauthorized modification

Security

Unauthorized destruction denial

Executives View about IT Risk and Control

1
Why should I understand IT Risk and Control? Two words: assurance and reliability

2 2

What is to be protected? Trust should be protected because it ensures business efficiency

Where are IT controls applied? Everywhere. IT includes technology components, processes, people, organization, and architecture, as well as the information itself

Executives View (contd)

4
Who is responsible? Everyone. However, control ownership and responsibilities must be defined and disseminated by management.

25

When should IT risk and controls be assessed? Always. IT is a rapidly changing environment that promotes process and organizational change.

How much control is enough? Management must decide based on risk appetite, tolerance and mandatory regulations.

View of IT Controls
Information system auditors need to understand the range of controls available for mitigating IT risks.

IT Governance
The controls can be thought of as existing within a hierarchy that relies on the operating effectiveness interconnectivity of the controls as well as the realization that failure of a set of controls can lead to increased reliance and necessary examination of other control groups

Another View
General Control
General IT controls are typically pervasive in nature and are addressed through various audit avenues.

Application Control
Application controls provide another category of controls and include controls within an application around input, processing, and output.

IT Governance
When addressing the topic of IT controls, an important consideration is IT governance, which provides the framework to ensure that IT can support the organizations overall business needs.
IT Governance is not only composed of the control needed to address identified risk but also is an integrated structure of IT practices and personnel that must be aligned closely with and enable achievement of the organizations overall strategies and goals.

IT Controls
Application Controls Computer Application Systems and Program

INTERNAL CONTROLS

Application Systems Development/ Changes General Controls Computer Service Center (Operations and Security)

IT Controls and Financial Reporting

Information Technology Risk and Controls

Information System Audit Course

Agenda
1. 2. 3. 4. Introduction to Information System Auditing Introduction to the Basis of IT-related Business Risks and Controls Integration of Financial Audit and IS Audit Application of IS Audit and Web Trust

Financial Audit Objective and External Auditors Responsibility

The primary objective of an audit of financial statement is to express an opinion as to whether financial statements are fairly presented, in all material respects, at a specified date. It is external auditors responsibility to design the audit engagement to provide reasonable assurance that the financial statements are fairly stated in all material respects.

When an IS Audit is or is not required?

Importance to the clients business activities: limited / moderate / very important Complexity of the computer environment: simple / moderate / complex Extend of use in the business: limited / moderate / pervasive Overall classification: minor / significant / dominant An IS auditor will be involved if the overall classification is significant or dominant. Does size of a company also determine the involvement of an IS auditor?

SPAP* related to IS Audit

SA 314: Penentuan Risiko dan Pengendalian Intern Pertimbangan dan Karakteristik Sistem Informasi Komputer (SIK) SA 319: Pertimbangan atas Pengendalian Intern dalam Audit Laporan Keuangan SA 324: Pelaporan atas Pengolahan Transaksi oleh Organisasi Jasa SA 327: Teknik Audit Berbantuan Komputer SA 335: Auditing dalam Lingkungan SIK
* SPAP = Standar Profesional Akuntan Publik (issued by Institut Akuntan Publik Indonesia/IAPI)

Conclusion
An IS audit is very relevant when external auditors are engaged in auditing a client having significant or dominant computer processing environment(s). From external auditors point of view, an IS audit will help them to determine whether control assurance and substantive assurance can be obtained in order to achieve effective and efficient audit.

Information Technology Risk and Controls

Information System Audit Course

Agenda
1. 2. 3. 4. Introduction to Information System Auditing Introduction to the Basis of IT-related Business Risks and Controls Integration of Financial Audit and IS Audit Application of IS Audit and WebTrust

Agenda 4: Application of IS Audit and Web Trust

Web Trust Sys Trust Certification

Agenda 4: Application of IS Audit and Web Trust

WebTrust Defined

Catatan pemenuhan prinsip PROCESSING INTEGRITY Melalui Systrust (lihat slide berikut)

Agenda 4: Application of IS Audit and Web Trust

Ernst &Youngs seal - Cyber Process Certification

Agenda 4: Application of IS Audit and Web Trust

Report of Management
Contoh Penerapan WebTrust

Agenda 4: Application of IS Audit and Web Trust

Report of Independent Accountant

Report of Independent Accountants

Microsoft PowerPoint Presentation

Agenda 4: Application of IS Audit and Web Trust

Sertifikasi Pada Internet Banking

VeriSign Certificate

Agenda 4: Contoh Penerapan: Audit Laporan Keuangan & Web Trust

Sertifikasi Pada Internet Banking

Comparison of Seals
Transaction Privacy of Security of Business Processing Data Data Policies Integrity NO NO Lightly NO Covered YES NO NO NO NO YES: Data NO NO Transmittal NO: Data Storage YES YES Somewhat Lightly Covered Covered YES YES YES YES

Product BBBOnline TRUSTe Veri-Sign

Cost Low Low Low to Medium

ICSA WebTrust

High High

End of Presentation

Thank You!

L/O/G/O