Documente Academic
Documente Profesional
Documente Cultură
Agenda
1. 2. 3. 4. Introduction to Information System Auditing Introduction to the Basis of IT-related Business Risks and Controls Integration of Financial Audit and IS Audit Application of IS Audit and Web Trust
Backgrounds
1. Return on Investment & IT Business risks
Significant portion of Companys investment in Information Technology
Companies implement new system (ERP, e-Commerce) or significant modification (changed business requirements) Will the business requirement be met by IT solutions ? Return on Investment ?
Backgrounds (contd)
2. Complex system & Assurance needs
Highly integrated-computerized processing of business transactions
Needs to have certain level of understanding and assurance of complex accounting transactions processing system.
Backgrounds (contd)
3. Quality and Career
Maintain individual competitiveness (globalization) Focus and specialization in managing IT risk and audit
4. Audit Requirements
For External Auditor
SA Seksi 314 Risk Assessment and internal control - consideration and EDP characteristics SA Seksi 335 Auditing in EDP environment
IS Audit Objectives
Asset Safeguarding
The assets of a computer installation include hardware, software, people, data files, system documentation, and supplies must be protected by system of internal control.
Data Integrity
Data integrity is a fundamental concept in IS auditing. It is a state implying data has certain attributes: completeness, soundness, purity, veracity.
Auditee
ISACA
CISA Chief Information Officer, Consultants: Auditor/Advisor for Information Systems/Technology Control
Information Systems Audit and Control Association (ISACA) is a recognized global leader in IT governance, control and assurance. ISACA sponsors international conferences, administers the globally respected CISA Founded in 1969, Now more than 110,000 constituents in over 180 countries, Its members include internal and external auditors, CEOs, CFOs, CIOs, educators, information security and control professionals, business managers, students, and IT consultants Develops globally-applicable Information Systems (IS) Auditing and Control Standards. Certify professionals with CISA (Certified Information Systems Auditor) More than 103,000 have earned the CISA designation since its inception in 1978.
Agenda
1. 2. 3. 4. Introduction to Information System Auditing Introduction to the Basis of IT-related Business Risks and Controls Integration of Financial Audit and IS Audit Application of IS Audit and Web Trust
IT Business Risk
Although technology provides opportunities for growth and development, it also represents threats, such as disruption, deception, theft, and fraud. Research shows that outside attackers threaten organizations, yet trusted insiders are a far greater threat.
IT controls are essential to protect assets, customers, partners, and sensitive information; demonstrate safe, efficient, and ethical behavior; and preserve brand, reputation, and trust. In todays global market and regulatory environment, these things are too easy to lose.
Information
Unauthorized Use
Confidentiality
Integrity Availability
Unauthorized modification
Security
2 2
Where are IT controls applied? Everywhere. IT includes technology components, processes, people, organization, and architecture, as well as the information itself
25
When should IT risk and controls be assessed? Always. IT is a rapidly changing environment that promotes process and organizational change.
How much control is enough? Management must decide based on risk appetite, tolerance and mandatory regulations.
View of IT Controls
Information system auditors need to understand the range of controls available for mitigating IT risks.
IT Governance
The controls can be thought of as existing within a hierarchy that relies on the operating effectiveness interconnectivity of the controls as well as the realization that failure of a set of controls can lead to increased reliance and necessary examination of other control groups
Another View
General Control
General IT controls are typically pervasive in nature and are addressed through various audit avenues.
Application Control
Application controls provide another category of controls and include controls within an application around input, processing, and output.
IT Governance
When addressing the topic of IT controls, an important consideration is IT governance, which provides the framework to ensure that IT can support the organizations overall business needs.
IT Governance is not only composed of the control needed to address identified risk but also is an integrated structure of IT practices and personnel that must be aligned closely with and enable achievement of the organizations overall strategies and goals.
IT Controls
Application Controls Computer Application Systems and Program
INTERNAL CONTROLS
Application Systems Development/ Changes General Controls Computer Service Center (Operations and Security)
Agenda
1. 2. 3. 4. Introduction to Information System Auditing Introduction to the Basis of IT-related Business Risks and Controls Integration of Financial Audit and IS Audit Application of IS Audit and Web Trust
Conclusion
An IS audit is very relevant when external auditors are engaged in auditing a client having significant or dominant computer processing environment(s). From external auditors point of view, an IS audit will help them to determine whether control assurance and substantive assurance can be obtained in order to achieve effective and efficient audit.
Agenda
1. 2. 3. 4. Introduction to Information System Auditing Introduction to the Basis of IT-related Business Risks and Controls Integration of Financial Audit and IS Audit Application of IS Audit and WebTrust
WebTrust Defined
Catatan pemenuhan prinsip PROCESSING INTEGRITY Melalui Systrust (lihat slide berikut)
Report of Management
Contoh Penerapan WebTrust
VeriSign Certificate
Comparison of Seals
Transaction Privacy of Security of Business Processing Data Data Policies Integrity NO NO Lightly NO Covered YES NO NO NO NO YES: Data NO NO Transmittal NO: Data Storage YES YES Somewhat Lightly Covered Covered YES YES YES YES
ICSA WebTrust
High High
End of Presentation
Thank You!
L/O/G/O